Implementing TAP for TUF developer key management

[asraa]

https://github.com/theupdateframework/taps/pull/141/files

This basically requires two things: (1) Adding an optional cert key-value pair into the signature (2) Signature verification will include verifying the certificate against Fulcio's root, and verifying that the signing was done while the certificate was valid.

Adding (1) is easy in go-tuf.

Adding (2): should this happen in this reference implementation? The change is clear to me -- Verify(msg, sig []byte) error implemented by key verifier types will instead generalize to take in a data.Signature so that the key type implementation can handle validating Signature.Cert in addition to the Signature.Signature bytes.

However, I would need to pull in sigstore dependencies. Can I make the API changes (1) and Verify(msg, sig data.Signature) error first in go-tuf and make a test key that "mocks" out the sigstore dependencies?

[trishankatdatadog]

However, I would need to pull in sigstore dependencies. Can I make the API changes (1) and Verify(msg, sig data.Signature) error first in go-tuf and make a test key that "mocks" out the sigstore dependencies?

Hmm, interesting. Not sure everyone would need sigstore dependency. Could we perhaps use conditional compilation (CC) for anyone who needs this feature? I know @hosseinsia is looking into CC for building lean, mean partial verification clients.