feat: adding trust_config parameter for private sigstore instances #460
Conversation
Signed-off-by: SequeI <[email protected]>
| @@ -24,6 +24,7 @@ | |||
| from sigstore import oidc as sigstore_oidc | |||
| from sigstore import sign as sigstore_signer | |||
| from sigstore import verify as sigstore_verifier | |||
| from sigstore._internal.trust import ClientTrustConfig | |||
There was a problem hiding this comment.
I guess we have no other choice than to take one of their _internal classes.
Rest LGTM.
There was a problem hiding this comment.
Looks like the type mismatch issue in sigstore-python that was blocking this earlier is now resolved, so we should be good to go on making these parts of the API public.
Also, there's an upstream fix in progress for pulling the OIDC URL from trustconfig. Once that's merged, I'll clean up the current workaround and refactor things properly to expose what we need in sigstore-python. That way, we wont have to rely on internals in model-transparency and have a cleaner setup overall.
Thanks for the review! (This does work in it's current form, just for stability purposes these changes will need to be introduced)
There was a problem hiding this comment.
Thank you for the PR! Yes, let's wait for the upstream trustconfig changes and then we can merge this.
Given the current changes, we could do a 1.1 release once the current PRs are merged.
Summary
This change introduces the --trust_config option to enable the use of private Sigstore instances with custom trust roots. Currently, the tooling assumes the use of the public Sigstore infrastructure, which limits flexibility for organizations running their own Rekor, Fulcio, and CTLog instances. This PR addresses that limitation by allowing users to provide a custom trust configuration for both signing and verification operations.
I tested using the public goods instance and it's trust config, and also our own redhat TAS instance's trust config. Signed and verified with no issues :)
resolves #208
Checklist