search

sigstore / sigstore-rs

An experimental Rust crate for sigstore
https://sigstore.github.io/sigstore-rs/sigstore/
Apache License 2.0
156 stars 48 forks source link

Signed Certificate Timestamp verification #326

Closed tnytown closed 1 week ago

tnytown commented 5 months ago

Blocked on #311.

Summary

Adds Signed Certificate Timestamp verification and hooks it up to the bundle signing flow. SCT verification ensures that the signing certificate in a given operation has been submitted to the Certificate Transparency log, which aids in the detection of malicious certificates and keeps Certificate Authorities like Fulcio honest.

Release Note

Documentation

No user-facing documentation needed, we automatically perform SCT validation when public sign and verify APIs are used.

tnytown commented 4 months ago

This is ready for review, but we should get #311 in first.

tnytown commented 2 months ago

CC @flavio, please take a look at this one after #311; the pertinent changes are at https://github.com/sigstore/sigstore-rs/pull/326/commits/c9ad592d3af61df42149c06bdda0e076c346ceab :)

flavio commented 2 months ago

@tnytown is this one ready to be reviewed?

tnytown commented 2 months ago

is this one ready to be reviewed?

Yes, thanks for the ping @flavio!

tnytown commented 2 weeks ago

@flavio gentle ping on this PR :)

tnytown commented 1 week ago

LGTM, I left two minor suggestions.

@flavio I applied the changes, thanks! Let me know if there's anything else you need.

flavio commented 1 week ago

I think it’s all good. Can you file some issues to keep track of the few TODOs that are left?