Support verifying detached SCTs #315
Labels
enhancement
New feature or request
Comments
|
We plan to deprecate support for detached SCTs - sigstore/fulcio#1499 The reason is that we have no way to store SCTs currently, so detached SCTs are only checked during signing and not during verification in Cosign. There is also only one signing backend, GCP CA Service, that wouldn’t support embedding SCTs. I’d recommend we just drop support for verifying detached SCTs during signing in Cosign rather than add support here. Most (all?) other clients don’t support them either. |
|
Fair enough. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Description
Currently sigstore-go assumes that an SCT is embedded in a leaf certificate:
sigstore-go/pkg/verify/sct.go
Line 36 in 8a157ab
Fulcio may return either an embedded SCT or a detached SCT in a response header:
https://github.com/sigstore/fulcio/blob/main/docs/ctlog.md#signed-certificate-timestamp-sct
Cosign supports both cases. In order to enable integration of sigstore-go's SCT verification into cosign, which would allow cosign to reuse sigstore-go's excellent TUF trusted root support (described here), it would be nice if sigstore-go provided a way to supply an SCT alongside, rather than embedded in, a certificate.
The text was updated successfully, but these errors were encountered: