WIP adopting manifests and signing classes #260
Conversation
Signed-off-by: Martin Sablotny <msablotny@nvidia.com>
| """BytesSigner is the abstract base class for signing bytes.""" | ||
|
|
||
| @abc.abstractmethod | ||
| def sign(self, data: bytes) -> bytes: |
There was a problem hiding this comment.
This is the same as signing.Signer. I'm curious why we'd duplicate the class hierarchy instead of using it?
| """ | ||
|
|
||
|
|
||
| class BytesVerifier(metaclass=abc.ABCMeta): |
There was a problem hiding this comment.
Same here, w.r.t signing.Verifier
| """Generic verification material""" | ||
|
|
||
|
|
||
| class SigstoreVerificationMaterial(VerificationMaterial): |
There was a problem hiding this comment.
Can this be just a subclass of `signing.Signature, which will just wrap the bundle?
| descriptors = [] | ||
| for d in manifest.resource_descriptors: | ||
| descriptors.append(d) | ||
| return cls(descriptors) |
There was a problem hiding this comment.
I'm unsure about this. We're just building a dictionary out of items fed from another dictionary. And we also lose the ordering guarantee.
Why not make the payload directly be in-toto here?
|
If you want to see the entire work to convert manifests to in-toto, #267 (I split it into a series of PRs with various in-toto payloads to ease reviews - every PR should just look at the last commit). |
ok, I'll leave it at that and stop trying to contribute for now. |
|
That wasn't my intention :( |
WIP do not merge
This is my first draft of adopting the new signing and manifest primitives for actual signature creation and serialization to disk. For now the idea is to use
BytesSignerto sign the contents of the manifest payload and provide verification material. That can then be stored on disk together with the signed payload as a tuple of (SigstoreBundle, Manifest).@mihaimaruseac PLMK what you think about this approach