-
Notifications
You must be signed in to change notification settings - Fork 6
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Notation CLI support for Timestamp Authority signatures #59
Comments
@gokarnm - This is the roadmap item related to timestamping. |
@FeynmanZhou - We discussed this in our NV2 community meeting today. Propose we include the "Sign" part in RC-1 and the "Verify" part of it can come in "RC-2". Do discuss with @shizhMSFT on it. |
@iamsamirzon |
Yes, there was support added back in Alpha-1. This roadmap item is to ensure the implementation ( along with tests) meets the agreed on spec |
Okay, we need to verify it for the next step. |
There are open questions and work related to
|
@shizhMSFT , @dtzar - We need to bring in the signing part back into RC-1. This item is not yet complete for RC-1. |
Looks like this work could be included in whomever implements notaryproject/notation-go#78 |
This issue also relevant to the completion of this item: notaryproject/notation-go#13 |
@dtzar - There was an item in the spreadsheet for this , row #22. It is marked green ( to indicate complete), but it is not. @shizhMSFT team was looking to implement this. Lets touch base on this with them |
As discussed in previous Notary community meetings, we will not provide a default TSA for signing. Users must specify their trusted TSA when signing.
This item is a successor of distributing roots for
We need more clarification on the "improvements". |
@gokarnm , @rgnote - Could you elaborate on the "improvements" #59 (comment) |
Based on the agreement in NV2 community call on 12/5/2022, moving this out of RC-2 |
It would be great if we can accelerate TSA signature support for an upcoming release, and as such would like to get feedback around the potential to leverage an existing golang timestamping library to implement this roadmap item. I have a positive experience with the library and it is even being used by the Sigstore/cosign project. |
The prerequisites of TSA signature support are
Unfortunately, there are no known reliable mature go libraries implementing RFC 3161 and RFC 2315. The timestamp library github.com/digitorus/timestamp, which is also used by cosign, is built on top of github.com/digitorus/pkcs7, which is a fork of https://github.com/mozilla-services/pkcs7 with enhanced features (but not security). However, the maturity of those libraries are still in an early stage and should not be used for production. Here are some code snippets from
Note: Unit tests in |
To ensure security of notation, we need to ensure that we have production-level CMS and Timestamp go libraries (we don't need to implement the full spec but implement what we need). There was an attempt in notation-core-go but it was at a prototype maturity (insufficient unit tests) and has its own security vulnerability. |
Summary - Notation client to support TSA signatures and verification support as per RFC 3161
Intended Outcome - The implementation matches with the specification
The text was updated successfully, but these errors were encountered: