Enhanced verification flow #150
Labels
enhancement
New feature or request
Comments
|
I'm working now to beef-up the verification flow right now and will definitely be adding support for signer identity verification (including the ability to supply a list of "authorized" signers). |
|
@bdehamer thanks for the update :) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Description
I think a typical use case will be a project that has N people who are authorized to sign artifacts (releasers in the case of the Node.js project - https://github.com/nodejs/node#release-keys) and the end user wants to be able to easily validate that one of those people have signed an artifact.
I think in the simplest flow where ephemeral keys have been used (which I think is really nice in that certificates don't have to be stored/managed), the equivalent is that the user will want to verify that the artifact has been signed by any one of a list of emails.
sigstore-python has the option
-cert-emailbut that only validates against a single email which does not quite fit this use case. Instead something like a--cert-emailsthat allows you to provide a list or file containing a list of emails would simplify the verification.The text was updated successfully, but these errors were encountered: