v1 release
This is a proposal for v1 release. Scope: support sigstore for path only (no in-memory path support). This requires to implement only a subset of https://github.com/sigstore/model-transparency/issues/172:
# model.py
def sign(
input: Path,
sig: Path = defaultSigPath(input),
recompute_paths: []Path = None,
ignored_paths: []Path = [".git"],
) -> None
...
def verify(
input: Path,
sig: Path = defaultSigPath(input),
verifier: Verifier = SigstoreVerifier(),
ignored_paths: []Path = [".git"],
) -> bool
What needs to be done:
Simple
- [ ] Make all API private except SigstoreSigner / SigstoreVerifier and model.verify / model.sign - see https://github.com/sigstore/model-transparency/issues/172 for APIs.
- [x] https://github.com/sigstore/model-transparency/issues/174.
- [x] https://github.com/sigstore/model-transparency/issues/157
- [x] Add raw signer to API
- [ ] https://github.com/sigstore/model-transparency/issues/179
- [x] https://github.com/sigstore/model-transparency/issues/196
Medium
- [ ] https://github.com/sigstore/model-transparency/issues/160.
More work
- [ ] Decide the default parameters for sha256pv1 hash (shard size), or
- [ ] https://github.com/sigstore/model-transparency/issues/13https://github.com/sigstore/model-transparency/issues/13. TBD: benchmarking
- [ ] Define the manifest format |https://github.com/sigstore/sigstore-python/issues/982
We can add support for more features https://github.com/sigstore/model-transparency/issues/172 without breaking backward compatibility
@mihaimaruseac what do you think of making these the prio for v1?
I think anything that comes for the API are priority. So #172 , #111 (manifest), #140 (hash engine), #160 (incremental rehashing) are a must. As part of this, we will also need to clean-up BaseResult (#174).
Looking back, that's exactly the list you mentioned above.
I think #157 might also be good to have in the release
I think #157 might also be good to have in the release
Good call. Added to the list. Thanks!
Added all of them to a milestone too. But also added improvement issues there, so it's good to keep track of the important ones on this issue
This was discussed in the SIG meeting of 12 June 24. We would like to also support private PKI for this release. (We don't need to support all possible features, and we'll add new ones without breaking backward compatibility)