-
Notifications
You must be signed in to change notification settings - Fork 81
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[targets v11] Add client signing configuration #1194
Comments
I am not opposed to another artifact in the repo but I'll mention these downsides so it's clear to everyone:
These are all reasonable but the last two items specifically are the price we pay for not just adding new optional fields into |
I was re reading the client notes and I see it’s actually unclear what the decision was on whether or not this should be its own file. @kommendorkapten do you know what the conclusion was? |
@haydentherapper the overall agreement was to add a new file to not break anything for the existing clients. It's listed here: (third bullet point:
As we call the trusted root |
This should happen in root-signing-staging first |
Test in staging ongoing in sigstore/root-signing-staging#157 |
Just so we're making an informed decision: Has any client implemented SigningConfig support? Or in other words are we sure that the SigningConfig design is good? I notice it does not seem to have a versioning scheme built in. If we are not sure, there is the option of just adding it in root-signing-staging and not here until we have more data. |
No, no client has. I had thought sigstore-python did, but they implemented support for the If this is still up for debate whether this should be one of two files, then I think we should hold off until the next signing event. |
ah yes I forgot sigstore-python has that (via supporting ClientTrustConfig that combines SigningConfig and TrustedRoot).
I was not implying that. I am asking
|
One question is what about if there are additional services that aren't distributed - what should that UX be? Can a client specify additional tlogs to write to? What about TSAs, where Sigstore isn't distributed such a list? I think we have the right structure for |
What I remember is that we should only ship I don't remember why we didn't version the |
@kommendorkapten the lack of version isn't intentional, do you want to send a PR to add it? |
Yes, I'll fix that. |
Description
Tracking issue to add the new client signing configuration described in sigstore/protobuf-specs#277 for the next root/target signing
cc @kommendorkapten
The text was updated successfully, but these errors were encountered: