-
Notifications
You must be signed in to change notification settings - Fork 49
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Support timestamp responses during both signing and verification? #349
Comments
CC @tnytown this is a good one to take a stab at as well! |
Some relevant docs here: https://github.com/sigstore/timestamp-authority |
xref sigstore/root-signing#466: this is probably blocked for us on the fact that the TSA's cert chain isn't included in the TUF repo yet. Edit: Scheduled for v7 of the TUF root: sigstore/root-signing#616 |
Should be unblocked now. Triage: this might be worth scheduling for the 2.0, although nobody is currently assigned to it. |
Hey @woodruffw, just wondering, are there any major blockers for this? Is there python support for rfc3161 timestamping? |
I don't know of a good client implementation, unfortunately 😞 -- there are a few public ones, but most seem pretty small: ( Another option here would be to add TSR/RFC 3161 support to Cryptography, or potentially reuse the existing PKCS#7/CMS support (since, IIRC, RFC 3161 boils down to a CMS envelope anyways). |
I did some design thinking on this yesterday, and there are pretty much two different routes we can go:
Given the amount of time we have, I'm tempted to go with (2) -- we already use CC @facutuesca |
Sigstore has an RFC 3161 TSA now, and signers can request a TSR from it while signing.
During signing, this would probably look like:
and then, for verification:
{input}.tsr
);(I think I got that right, but I might be missing a few details.)
cc @di for thoughts on whether we should support this.
The text was updated successfully, but these errors were encountered: