-
Notifications
You must be signed in to change notification settings - Fork 45
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fulcio: Switch to new-style claim extensions #425
Comments
Looks like these changes have been merged upstream, so we should check to see whether the production or staging instances have deployed them. If so, we should follow suit. |
This changes have been fully deployed, so we should begin supporting them. |
I did some quick tests in jku@5041820:
|
FWIW, I also have an initial stab at this up at #715: it keeps the old extension handling in place while adding new APIs for the new extensions. My thinking was that backwards compatibility could be maintained by using the (More generally, using these new extensions is blocked by the fact that they contain DER encodings for their values, which pyca/cryptography doesn't support for arbitrary third-party extensions yet. That's being tracked here: pyca/cryptography#9283.) |
Yeah this works but does lead to a lot of classes (e.g.
ooh, good to know |
After reading up on the situation in cryptography:
|
Yeah, this is a fair point. IMO it'd be okay to break the API here between major versions if we think the resulting code will be smaller (especially since the migration path will be smooth).
Yes, agreed -- I have this as a 2.0 milestone ATM but I don't think it should block at 2.0 release of sigstore-python (since the legacy extensions continue to work just fine). We can move it to 3.0, I think.
DER crimes with Short of a full declarative ASN.1 API in Python becoming available, I can think of two other options:
Regardless I think we have options available to us, so we won't need to ask Fulcio to prolong its support for the deprecated extensions 🙂 |
Dropped this from 2.0, per #766. |
Just filing this for tracking purposes: sigstore/fulcio#945 will change Fulcio's certificate extensions to make them more generic, avoiding unnecessary references to implementation details for e.g. GitHub.
These changes will follow Fulcio's deprecation policy, so no action is immediately required on our part.
The text was updated successfully, but these errors were encountered: