Verify SCTs returned by fulcio #600
Conversation
priyawadhwa
force-pushed
the
sct
branch
2 times, most recently
from
898e092
to
435f59f
Compare
|
We should have at least one place where "SCT" is explained :p |
|
Added a comment :) |
| // some defined time period | ||
| func verifySCT(fr Resp) error { | ||
| buf := tuf.ByteDestination{Buffer: &bytes.Buffer{}} | ||
| if err := tuf.GetTarget(context.TODO(), ctPublicKeyStr, &buf); err != nil { |
There was a problem hiding this comment.
not really sure if we should error out on this -- because it will fail if you haven't run cosign init and i don't think we want that to be failure behavior (rather preferrable behavior)
There was a problem hiding this comment.
sure, i can add in a warning that SCTs won't be verified if the user doesn't run cosign init
in the future i wonder if we could just automatically run cosign init for someone if they have experimental mode set!
There was a problem hiding this comment.
Maybe a silly question, but If we have all the info to validate against in the binary to run "cosign init", could we just validate it there before putting it on disk?
There was a problem hiding this comment.
"there"?
i think i'm having trouble parsing the question! do you mean if you haven't run cosign init at this point, go ahead and run it?
Added in the CT log public key for this verification. Signed-off-by: Priya Wadhwa <priyawadhwa@google.com>
Added in the CT log public key for this verification.
up next, adding it to the bundle!
closes #591
Signed-off-by: Priya Wadhwa priyawadhwa@google.com