You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
{{ message }}
This repository was archived by the owner on Feb 26, 2024. It is now read-only.
The GemVerifier class currently deems a gem signed if there is at least one "valid" signature in Rekor, i.e. one with a valid cert chain and signature matching the gem file's digest. It doesn't care who signed it, except that it separates emails listed in the gemspec vs. the ones that aren't.
Given how rekor accepts any signatures for a given artifact, we need to be more discerning w.r.t. the signatures that have some authority.
In the prototype, we should ignore non-maintainer signatures by default, and perhaps only print them if requested (but they're kinda worthless imo).
The GemVerifier class currently deems a gem signed if there is at least one "valid" signature in Rekor, i.e. one with a valid cert chain and signature matching the gem file's digest. It doesn't care who signed it, except that it separates emails listed in the gemspec vs. the ones that aren't.
Given how rekor accepts any signatures for a given artifact, we need to be more discerning w.r.t. the signatures that have some authority.
In the prototype, we should ignore non-maintainer signatures by default, and perhaps only print them if requested (but they're kinda worthless imo).