New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
ArtC: Add data.fileInformation.integrityProtection #320
ArtC: Add data.fileInformation.integrityProtection #320
Conversation
37fb520
to
5064038
Compare
This new member allows publishers to include the checksum of the artifact's file(s) when the artifact is announced, allowing consumers to verify that the file they eventually download is the original file.
5064038
to
3e36607
Compare
Here's a diff between ArtC 3.2.0 and 3.3.0:
|
You provide quite a good argumentation in the issue text, regarding the relation to the meta.security.integrityProtection. I think it would be valuable to document that also in the spec. Would you be able to add a section about "Integrity of Referenced Items" or similar, to eiffel-syntax-and-usage/security.md for example? Also, there is a huge buzz nowadays in open source communities around sigstore and cosign for signing things like artifacts. I believe that we eventually should support such signing utilities and that will probably affect this integrityProtection property. Is it worth it to include such signed signatures now, or should we take that later, with the risk of getting deprecated properties here? |
Good idea. It's easy to forget the non-reference documentation when making protocol changes.
Cosign appears to be targeting OCI images only. That doesn't preclude its use for ArtC entirely but would limit the scope. I don't feel I understand Sigstore and friends well enough to be able get them into the protocol. I can't even tell whether it makes sense to have ArtC support Sigstore unless combined with meta.security signing, or what Sigstore really buys us if we have the hash proposed in this PR and meta.security signing is used. IOW I suggest moving forward with what we have. It's better than nothing and should be quite secure if combined with meta.security. |
This relates to the old issue #289 |
b412c90
to
7a2d76f
Compare
Done. |
Applicable Issues
Fixes #290
Description of the Change
This new (optional) member allows publishers to include the checksum of the artifact's file(s) when the artifact is announced, allowing consumers to verify that the file they eventually download is the original file.
Alternate Designs
None.
Benefits
Makes it possible to catch deliberate and non-deliberate tampering of artifact files. Should be combined with signed events but has value on its own.
Possible Drawbacks
None. It's an optional member.
Sign-off
Developer's Certificate of Origin 1.1
By making a contribution to this project, I certify that:
(a) The contribution was created in whole or in part by me and I have the right to submit it under the open source license indicated in the file; or
(b) The contribution is based upon previous work that, to the best of my knowledge, is covered under an appropriate open source license and I have the right under that license to submit that work with modifications, whether created in whole or in part by me, under the same open source license (unless I am permitted to submit under a different license), as indicated in the file; or
(c) The contribution was provided directly to me by some other person who certified (a), (b) or (c) and I have not modified it.
(d) I understand and agree that this project and the contribution are public and that a record of the contribution (including all personal information I submit with it, including my sign-off) is maintained indefinitely and may be redistributed consistent with this project or the open source license(s) involved.
Signed-off-by: Magnus Bäck <magnus.back@axis.com>