guacsec
[feature] Verifier support for Notary Project signatures
Is your feature request related to a problem? Please describe.
Today, GUAC has a Verifier interface to link a given payload to an identity. Currently, the only implementation of this interface is for Sigstore signatures.
Describe the solution you'd like
As per the description on the project page, Notary Project "is a set of specifications and tools intended to provide a cross-industry standard for securing software supply chains by using authentic container images and other OCI artifacts". While Notary Project primarily supports signing OCI images and OCI artifacts, it will soon also support signing arbitrary blobs as well. Notary Project is a CNCF Incubating project and recently announced their 1.0 release. As the Notary Project gains further adoption, GUAC should support the capability to verify Notary Project signatures.
Describe alternatives you've considered
Outside of Sigstore and Notary Project, OpenPubkey is a protocol that exists to bind identities to public keys. Recently, Docker has announced their intention to use OpenPubkey to sign Docker Official images. This should also be supported by GUAC and a separate issue should be created for this.
Additional context
While GUAC's support of identities and signature verification is in an early state, there should be some design discussion around how multiple Verifiers will work. Today, in guacone collect, only the SigstoreVerifier is registered. A user should be able to either select verifier they wish to use or GUAC should be able to guess what type of signature is being collected and use the appropriate Verifier for the given signature.
I am a maintainer for CNCF Notary Project. Glad to see this proposal. It would be helpful to extend the GUAC ecosystem with more types of signatures/signing tools support in its Verifier.
