-
Notifications
You must be signed in to change notification settings - Fork 10
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Support verifying digests in addition to artifacts #158
Conversation
dee7a56
to
5c4cda3
Compare
Signed-off-by: Facundo Tuesca <[email protected]>
5c4cda3
to
b53fd47
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM, nice work @facutuesca!
This is good to go, but CCing @steiza @kommendorkapten @loosebazooka as other client maintainers who will probably want to be aware of this as it goes in -- you'll likely need to update your conformance wrappers!
Adding @bdehamer for sigstore-js. This should be fine for sigstore-go - it's easy for us to set our verification policy accordingly. I don't think this will work with cosign, which maps But that's not a problem with this pull request - we'll have to figure out how to have cosign additionally handle digests, maybe as part of the |
Thanks @facutuesca, nice work here! |
This PR adds support for verifying hashes (instead of files) to the CLI protocol (only when verifying bundles).
It also adapts the
sigstore-python-conformance
helper to support it, givensigstore-python
supports verifying hashes since v3.3.0.All the existing bundle verification tests have been parametrized to also test the hash verification, in addition to the existing
Path
(file) verification.This closes #157
cc @woodruffw