Option to substitute signing algorithm to a custom version

[anotherbridge]

Description of the feature request:

Are there any plans to add an option that a custom binary for the signing could be used?

The reason I'm asking this is because for security reasons we would like to replace the signing performed by a Rust implementation. Additionally we would like to add entropy checks before the signing.
Moreover, in case that in the future algorithms that are used will be considered as weak/unsafe it would be great to have the described feature to easily substitute to stronger algorithms.

[adityasaky]

We've discussed making the in-toto specification more agnostic to the signing key algorithms, mechanisms, and so on. Inherently, there's nothing locking us into one algorithm / mechanism or another, it's all a question of support. Do you have any thoughts on how to use other binaries for signing, and how to ensure compatibility with other in-toto implementations which may verify the resulting metadata? For the former, we could look to git, for example, but the second question makes it difficult IMO.

[Pierre-Gronau-ndaal]

maybe you consider for entropy checking the following code:

https://github.com/kzahedi/goent
GitHub - kzahedi/goent: GO Implementation of Entropy Measures

License should not be a problem:

https://opensource.stackexchange.com/questions/11640/can-mit-and-apache-licenses-be-used-together
Can MIT and Apache licenses be used together? - Open Source Stack Exchange

[Pierre-Gronau-ndaal]

possible generic rust cli for integrating:

cargo install sha3sum
cargo install b3sum
cargo install k12sum