Extend VerificationResult with all verified data #328
Description
Description
VerificationResult is the primary output of the verifier, and contains a "summary" of the verification result. Given that sigstore-go is primarily to be consumed by machines, and users of the library may need to have higher-fidelity data structures for post-processing, I would like to have VerificationResult contain more details about the verified data. Specifically:
- For bundles signed with a certificate, I would like a list of list of certificate chains:
VerifiedCertificateChains [][]*x509.CertificateTimestampVerificationResultonly contains a type, URI, and timestamp. I would like to have separate fields forVerifiedTimestampingResponseandVerifiedTransparencyLogEntryincluding all the data from the bundle.
VerifiedTimestampingResponses []*timestamp.Timestamp
VerifiedLogEntries []*models.LogEntryAnon- A list of verified SCTs would also be valuable:
VerifiedSCTs []*ct.SignedCertificateTimestampThis will have several follow-on effects to the current public API, adding return data to several functions such as:
func (v *SignedEntityVerifier) VerifyObserverTimestampsfunc (v *SignedEntityVerifier) VerifyTransparencyLogInclusionfunc VerifyArtifactTransparencyLogfunc VerifyTimestampAuthorityfunc VerifySignedCertificateTimestamp
I believe that exposing these values from the verifier is important for clients that need data such as the specific transaction log entries that were verified, as there may be untrusted values in the bundle even if it passes the threshold.
The existing VerificationResult serves a role as a simple summary of verification, and we may consider exposing it unchanged as a separate return value, perhaps renaming it to VerificationSummary.