Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add new specifications for non-OCI signatures #275

Closed
yizha1 opened this issue Aug 22, 2023 · 2 comments
Closed

Add new specifications for non-OCI signatures #275

yizha1 opened this issue Aug 22, 2023 · 2 comments
Assignees
@rgnote
Labels
enhancement New feature or request

Comments

@yizha1
Copy link
Contributor

yizha1 commented Aug 22, 2023

Description

The specifications v1 defines the signature payload, storage based on OCI specification, as well as the signing and verification workflow for interaction with OCI compliant registries. The trust policies are mainly defined to verify artifacts stored in OCI compliant registries, for example the property registryScopes contain fully qualified registry URL(s).

There are scenarios that users need to produce non-OCI signatures for non-OCI artifacts and distribute both non-OCI artifacts and signatures in a different way from using OCI compliant registry, see notation#741 and scenarios. So, I would like to request adding new specifications for non-OCI signature which covers:

  • Signature payload
  • Signature storage on disk
  • Trust store and trust policy
  • signing and verification workflow

Benefits

  • A new set of specifications that support new scenarios for securing software supply chains
  • Ensuring compatibility and interoperability between different implementations that built per the new specifications
  • Portability of non-OCI signatures

Proposed Solution

Create new specifications for non-OCI signature specifications.

Additional Information

N/A
@yizha1 yizha1 added the enhancement New feature or request label Aug 22, 2023
@yizha1 yizha1 mentioned this issue Aug 22, 2023
Open
@yizha1 yizha1 changed the title Add new specifications for non-OCI signature Add new specifications for non-OCI signatures Aug 22, 2023
@yizha1 yizha1 mentioned this issue Aug 22, 2023
Open
@Two-Hearts Two-Hearts mentioned this issue Aug 22, 2023
Closed
@yizha1 yizha1 assigned yizha1 and unassigned Two-Hearts Aug 23, 2023
@yizha1 yizha1 removed their assignment Sep 11, 2023
@yizha1 yizha1 added this to the 1.1.0 milestone Sep 11, 2023
@yizha1 yizha1 moved this from Todo to PR Review in Notary Project Planning Board Nov 10, 2023
@yizha1 yizha1 assigned rgnote and unassigned priteshbandi Nov 10, 2023
@yizha1 yizha1 removed this from the 1.1.0 milestone Jan 3, 2024
@yizha1
Copy link
Contributor Author

yizha1 commented Jan 3, 2024

per discussion at the meeting on 1/2/2024, the feature signing arbitrary data will not be in the scope of Notation 1.1.0. So remove this work item from 1.1.0 milestone.

@yizha1
Copy link
Contributor Author

yizha1 commented Mar 5, 2024

Closed as completed by PR #283

@yizha1 yizha1 closed this as completed Mar 5, 2024
@github-project-automation github-project-automation bot moved this from PR Review to Done in Notary Project Planning Board Mar 5, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@rgnote rgnote

Labels
enhancement New feature or request
Projects
Notary Project Planning Board
Status: Done
Milestone
No milestone
Development

No branches or pull requests
4 participants
@rgnote @priteshbandi @yizha1 @Two-Hearts