Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Sigstore Bundle generation and associated machinery, following
sigstore-python
API design where practical.New functionality by crate:
tuf
:SigstoreRepository
: Trusted Root based TUF client.verify
:VerificationMaterials
,Verifier
: Sigstore bundle deserializer and verifier.sign
:SigningSession
,SigningContext
,SigningArtifact
: Bundle signing machinery patterned off ofsigstore-python
.fulcio
: Support for thev2
signingCert
API inFulcioClient
, which now takes an X.509 CSR.oauth
:IdentityToken
convenience type for OIDC tokens.Changed:
crypto
:CertificatePool
overhaul for chain building based onrustls_webpki
.cosign
,examples
: Various adaptations to get things building with the changed API surfaces.sigstore-conformance
client now plumbs into the bundle machinery :)TODOs (not comprehensive, grep for
TODO(tnytown)
,todo!
, andunimplemented!
):PrecertificateSignedCertificateTimestamps
is not inx509_cert
VerificationMaterials::from_bundle
and manually implement what isn't covered bywebpki
unwrap
andexpect
, replace where appropriateVerificationMaterials::from_bundle
: do we want to set up error types?FulcioClient
's new endpoint toasync
, look into making async variants ofSigstoreRepository
,Verifier
,SigningSession
, andSigningArtifact
.sigstore_protobuf_specs
generation?Low priority TODOs (not necessary for upstreaming this work):
CosignVerificationKey
up