Comments (2)
lukpueh
commented on July 28, 2024
Some thoughts about requirements:
- Applications should be able to use a threshold verification algorithm, which only cares for valid signatures.
- This means, applications should be able to successfully parse metadata (using
Key.from_dict), and attempt verification (usingkey.verify_signature), even with keys with unknown or unsupported keytypes or schemes. - Known keytypes and schemes with invalid formats should fail parsing or verification.
from securesystemslib.
lukpueh
commented on July 28, 2024
- Applications should be able to use a threshold verification algorithm, which only cares for valid signatures.
- This means, applications should be able to successfully parse metadata (using
Key.from_dict), and attempt verification (usingkey.verify_signature), even with keys with unknown or unsupported keytypes or schemes.
Currently, Key.from_dict raises an error on unknown keytypes and schemes. If the application just catches the error and skips the unknown key, it will break any signature verification of the container metadata, if it depends on canonicalisation. Which is the default for tuf and in-toto.
from securesystemslib.
Related Issues (20)
- Sigstore tests failed HOT 1
- Release v0.29.0 HOT 5
- Create Example app HOT 1
- sigstoresigner: support testing PRs HOT 2
- docs: Include signer implementations in reference documentation
- ed25519 workflow is broken
- How should I load signers for immediate signing, e.g. in CLI? HOT 2
- Does `AWSSigner.import_()` really require scheme string? HOT 8
- "ecdsa-sha2-nistp256" wrongly used as default scheme for any "ecdsa" key
- signer api: clarify keyids in signatures HOT 2
- fix permisssions on check-upstream-ed25519 workflow
- ed25519 upstream has new commits
- ecdsa keytypes issue, again HOT 1
- Remove legacy interfaces/implementation HOT 3
- Auto-update pre-commit plugins HOT 8
- Issues for KubeCon EU contribfest HOT 2
- review default signer & key selection HOT 3
- AzureSigner: import_ may return *unsupported* ecdsa-sha2-nistp521 scheme
- AWSSigner: may return *incorrect* ecdsa-sha2-nistp512 scheme
- SSlibKey: consider stronger validation of keytype/scheme for keyval HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from securesystemslib.