-
Notifications
You must be signed in to change notification settings - Fork 135
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Support private PKI #34
Comments
Yeah, so when I heard about this project I thought of it as made up of two steps:
For (2), there are many advantages of using public But there might be cases where people don't want to use public That said, there is a lot of value in having an opinionated paved path, and maybe having different options for (2) adds more confusion than it's worth. There's nothing stopping people from implementing support for their own PKI as they need it! |
I think it's definitely something that could be considered and supported. In order to keep it simpler, maybe it's something we should wait on implementing until folks are specifically asking for it? If we did implement it, we could allow folks to specify their own address for rekor/fulcio servers in a config file at the base of the repo like the one slsa-github-generator-go has. |
The biggest challenge around here is verifying against the correct TUF root: folks would need to specify addresses for rekor/fulcio but also the trusted root CA and rekor public key they expect. That information would need to be pushed to the SLSA verifier as well. I don't know the best solution for this yet. Do we specify the whole TUF root? On the generator side I suppose we only need to specify the rekor/fulcio, and the end-users need to know the TUF root. |
How do sigstore tools handle this currently? |
It would be useful to support private PKI.
The text was updated successfully, but these errors were encountered: