ratify icon indicating copy to clipboard operation
ratify copied to clipboard
verified publisher icon ratify-project

Support different types of trust store

Open binbin-li opened this issue 2 years ago • 0 comments

What would you like to be added?

Notation spec supports 3 trust store types: ca, tsa and signingAuthority: https://github.com/notaryproject/specifications/blob/main/specs/trust-store-trust-policy.md#trust-policy-properties

Ratify presently doesn't differentiate between types, and we used to just set it as ca type as default. As we already have users use signingAuthority instead of ca type, we should provide support soon. And we also need to support tsa for tsa signature.

There are a few places to be updated:

  1. Update GetCertificates implementation: https://github.com/deislabs/ratify/blob/main/pkg/verifier/notation/truststore.go#L43
  2. Update verificationCertStores to include trustStoreType: https://github.com/deislabs/ratify/blob/main/pkg/verifier/notation/notation.go#L60
  3. Update corresponding CR files.

And if we want to make it backward compatible, the implementation should support both old and new CRs.

Anything else you would like to add?

No response

Are you willing to submit PRs to contribute to this feature?

  • [ ] Yes, I am willing to implement it.

binbin-li avatar Nov 15 '23 05:11 binbin-li