Description

I have some certificates generated from my internal PKI I use sigstore-go to generate bundles for. Verification with sigstore-go seems to work smoothly but verifying using sigstore-js runs into errors. The issue seems to be coming from the fact that:

• certificates in my cert chain are RSA signed certificates (we seem to only support ECDSA signed certificates)
• our current crypto.verify call in message.ts relies on auto-detection of the signing algorithm, however, this sometimes fails for my use cases. I suspect some of my certificates have non-standard combinations in terms of key size + signing algorithm but regardless I think it's a better practice if we try to explicitly pass the algorithm along 🙂