Skip to content

docs: ADR for signatures, sigstore and GPG #1568

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
wants to merge 2 commits into
base: main
Choose a base branch
from
Draft

docs: ADR for signatures, sigstore and GPG #1568

wants to merge 2 commits into from

Conversation

@ctron
Copy link
Contributor

@ctron ctron commented Apr 22, 2025
edited
Loading

@ctron ctron force-pushed the feature/adr_check_sig_1 branch from a2b0203 to c267aeb Compare April 22, 2025 14:22
@carlosthe19916
Copy link
Contributor

carlosthe19916 commented Apr 23, 2025

Looks great.

  • In terms of how it would look like for users, I think we could somehow copy the Github way of rendering signed commits.
    • I also wonder if in the UI there should be visibility of the keys used to verify signature? Something only an "Admin" should be able to see. Asking just in case a dedicated REST API would be needed to expose this information.
  • In regards of the Upload REST API. I wonder how an SBOM and its signature will be uploaded? I might be wrong but I guess the SBOM and its signature are 2 different files, should/can they be uploaded together?

@ctron
Copy link
Contributor Author

ctron commented Apr 24, 2025
edited
Loading

Looks great.

  • In terms of how it would look like for users, I think we could somehow copy the Github way of rendering signed commits.

    • I also wonder if in the UI there should be visibility of the keys used to verify signature? Something only an "Admin" should be able to see. Asking just in case a dedicated REST API would be needed to expose this information.

I think it would be great finding a way to properly expose this through the UI to the user. And also, allow users to manages this through the UI.

  • In regards of the Upload REST API. I wonder how an SBOM and its signature will be uploaded? I might be wrong but I guess the SBOM and its signature are 2 different files, should/can they be uploaded together?

It depends. One source might be "sigstore", in which case the system would need to fetch from that source. The question would be: how would be user define if this document is applicable to that sigstore source. If there's more than one.

The second source, would be the SBOM/advisory source. Which in this case, would be the upload form. So, the user should have the ability to upload the signature too. Only works on the order of: document first, signature next. Maybe it makes sense capturing that process in a UI flow. Can be a combined form. Could be a two step process too. Again the user would need to tell the system which trust anchors are applicable.

@ctron ctron force-pushed the feature/adr_check_sig_1 branch from c267aeb to 352c006 Compare April 24, 2025 08:36
@ctron ctron added the ADR label May 27, 2025
@ctron ctron force-pushed the feature/adr_check_sig_1 branch from 352c006 to a0e92f6 Compare June 5, 2025 13:27
@codecov
Copy link

codecov bot commented Jun 5, 2025

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 63.55%. Comparing base (058fd52) to head (a0e92f6).
Report is 1 commits behind head on main.

Additional details and impacted files 
@@           Coverage Diff           @@
##             main    #1568   +/-   ##
=======================================
  Coverage   63.55%   63.55%           
=======================================
  Files         350      350           
  Lines       14286    14286           
=======================================
  Hits         9080     9080           
  Misses       5206     5206

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@carlosthe19916 carlosthe19916 Awaiting requested review from carlosthe19916

@JimFuller-RedHat JimFuller-RedHat Awaiting requested review from JimFuller-RedHat

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

ADR

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@ctron @carlosthe19916