docs: add ratify cosign verifier design doc#20
Closed
junczhu wants to merge 2 commits intonotaryproject:mainfrom
Closed
docs: add ratify cosign verifier design doc#20junczhu wants to merge 2 commits intonotaryproject:mainfrom
junczhu wants to merge 2 commits intonotaryproject:mainfrom
Conversation
Signed-off-by: Juncheng Zhu <junczhu@microsoft.com>
Codecov ReportAll modified and coverable lines are covered by tests ✅ 🚀 New features to boost your workflow:
|
junczhu
force-pushed
the
cosign-verifier-design
branch
2 times, most recently
from
35675b7 to
7d21d11
Compare
junczhu
force-pushed
the
cosign-verifier-design
branch
6 times, most recently
from
9672463 to
bbab7e4
Compare
junczhu
force-pushed
the
cosign-verifier-design
branch
3 times, most recently
from
21484cd to
bf68d98
Compare
junczhu
force-pushed
the
cosign-verifier-design
branch
3 times, most recently
from
673eb08 to
b00b41b
Compare
Signed-off-by: Juncheng Zhu <junczhu@microsoft.com>
junczhu
force-pushed
the
cosign-verifier-design
branch
from
b00b41b to
9d18e98
Compare
There was a problem hiding this comment.
Pull Request Overview
This PR adds a design document outlining the implementation of a Cosign verifier library built on the new sigstore-go API, ensuring compatibility with the cosign CLI experience and alignment with ratify verification workflows.
- Introduces the design overview and component breakdown for the new verifier library.
- Details the API definitions for verifier configuration, policies, trust material, and verification results.
- Compares legacy and new implementations with emphasis on modular design and enhanced performance.
| type VerifyEntity struct { | ||
| // verify.SignedEntity is a interface defined by sigstore-go as the verify input | ||
| signedEntity verify.SignedEntity | ||
| // identityPolices is a list of policy options as verify input |
There was a problem hiding this comment.
Typo in the comment: 'identityPolices' should be corrected to 'identityPolicies'.
Suggested change
| // identityPolices is a list of policy options as verify input | |
| // identityPolicies is a list of policy options as verify input |
| } | ||
|
|
||
| type TrustMaterialProvider interface { | ||
| // user ocispec.Descriptor to retrive the root.TrustedMaterial |
There was a problem hiding this comment.
Typo in the comment: 'retrive' should be corrected to 'retrieve'.
Suggested change
| // user ocispec.Descriptor to retrive the root.TrustedMaterial | |
| // user ocispec.Descriptor to retrieve the root.TrustedMaterial |
| tlogEntriesThreshold int | ||
| // requireSCTs requires SCTs in Fulcio certificates | ||
| requireSCTs bool | ||
| // ctlogEntriesTreshold is the minimum number of verified SCTs in |
There was a problem hiding this comment.
Typo in the comment: 'ctlogEntriesTreshold' should be corrected to 'ctlogEntriesThreshold'.
Suggested change
| // ctlogEntriesTreshold is the minimum number of verified SCTs in | |
| // ctlogEntriesThreshold is the minimum number of verified SCTs in |
shizhMSFT
reviewed
Mar 26, 2025
shizhMSFT
left a comment
shizhMSFT
left a comment
There was a problem hiding this comment.
Let's model the cosign as a black box.
|
|
||
| ### 4.1. Verifier Initialize | ||
|
|
||
| ```go |
| PolicyConfig(ocispec.Descriptor) PolicyConfig | ||
| } | ||
|
|
||
| type Policy{ |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This document outlines the design of a Cosign verifier library using the newly developed
sigstore-goAPI.The goals:
sigstore/cosignlibrary forratifyverifier library. Ensure compatibility with thecosignCLI experience.Verifier,TrustMaterialandPolicyas verification materials.