Skip to content

docs: ADR for signatures, sigstore and GPG #1568

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
wants to merge 1 commit into
base: main
Choose a base branch
from
Draft

docs: ADR for signatures, sigstore and GPG #1568

wants to merge 1 commit into from

Conversation

ctron
Copy link
Contributor

@ctron ctron commented Apr 22, 2025
edited
Loading

@ctron ctron force-pushed the feature/adr_check_sig_1 branch from a2b0203 to c267aeb Compare April 22, 2025 14:22
@carlosthe19916
Copy link
Member

Looks great.

  • In terms of how it would look like for users, I think we could somehow copy the Github way of rendering signed commits.
    • I also wonder if in the UI there should be visibility of the keys used to verify signature? Something only an "Admin" should be able to see. Asking just in case a dedicated REST API would be needed to expose this information.
  • In regards of the Upload REST API. I wonder how an SBOM and its signature will be uploaded? I might be wrong but I guess the SBOM and its signature are 2 different files, should/can they be uploaded together?

@ctron
Copy link
Contributor Author

ctron commented Apr 24, 2025
edited
Loading

Looks great.

  • In terms of how it would look like for users, I think we could somehow copy the Github way of rendering signed commits.

    • I also wonder if in the UI there should be visibility of the keys used to verify signature? Something only an "Admin" should be able to see. Asking just in case a dedicated REST API would be needed to expose this information.

I think it would be great finding a way to properly expose this through the UI to the user. And also, allow users to manages this through the UI.

  • In regards of the Upload REST API. I wonder how an SBOM and its signature will be uploaded? I might be wrong but I guess the SBOM and its signature are 2 different files, should/can they be uploaded together?

It depends. One source might be "sigstore", in which case the system would need to fetch from that source. The question would be: how would be user define if this document is applicable to that sigstore source. If there's more than one.

The second source, would be the SBOM/advisory source. Which in this case, would be the upload form. So, the user should have the ability to upload the signature too. Only works on the order of: document first, signature next. Maybe it makes sense capturing that process in a UI flow. Can be a combined form. Could be a two step process too. Again the user would need to tell the system which trust anchors are applicable.

@ctron ctron force-pushed the feature/adr_check_sig_1 branch from c267aeb to 352c006 Compare April 24, 2025 08:36
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@carlosthe19916 carlosthe19916 Awaiting requested review from carlosthe19916

@JimFuller-RedHat JimFuller-RedHat Awaiting requested review from JimFuller-RedHat

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@ctron @carlosthe19916