Stabilization plans? #6
Comments
|
Great question! I think we'd love feedback at this point. It's been through a bunch of iterations, and I think we've exhausted the use of code review without actual implementers. So we're at a chicken-and-egg point right now. We may still break you a fair bit at this point :) However, I expect in the long run that most library implementations will implement roughly like: def verify(artifact: bytes, bundle: sigstoreprotos.Bundle) -> bool:
foo = _decode_foo(bundle.foo)
bar = _ decode_bar(bundle.bar)
return _verify_foo(bytes, foo) and _verify_bar(bytes, bar) && ...So my hope is that it would be pretty doable to prototype now and deal with minor breakage. In return you'll get to shape the bundle format to make it really easy for you to consume! I unfortunately don't have an exact schedule. If a bunch of clients try it out and are happy immediately, we can stabilize soon! Otherwise, we probably will need to wait a bit longer. (Sorry for the non-answer) |
|
As far as non-answers go, that's a good one 🙂 I'll start playing around with the definitions as they currently are (we'll probably gate them behind some kind of "unstable" or "experimental" flag), and see what rough edges we run up against! |
I'd also expect the last major piece is the trusted root that's used for client initialization. Personally I'm waiting for @kommendorkapten to PR out the verification pseudo-code: https://github.com/kommendorkapten/cosign/blob/bundle_verification/specs/dotsigstore_bundle/verify.md#input |
|
On a related note: is there a canonical JSON schema definition for every protobuf definition? My understanding (which might be wrong) of the work here is that both the protobuf wire format and JSON will be acceptable inputs for Sigstore clients. |
Yes, protobuf defines a JSON mapping: https://developers.google.com/protocol-buffers/docs/proto3#json It's very important that clients rely on the proto-JSON serializers instead of any language existing JSON implementation, as the encoded JSON will be (subtly?) different. Examples are: |
|
There have been a few bundle releases since I opened this, so closing. |
Thanks a ton for breaking this repo out! I'm extremely excited to see these formats get developed, so that we can reuse them on
sigstore-python.To whit: is there a current roadmap/schedule for official stabilizing the protobuf definitions in this repo (in particular, the Sigstore bundle definition)? Once there's an official version, even a beta one, we can begin ingesting and emitting it on the Python client side 🙂
The text was updated successfully, but these errors were encountered: