Request to support non-identity based cert as verifier
karaguo opened this issue · comments
Description
Based on clusterImagePolicy API, it has options to accept key, keyless authority. Can we also support non-identity based cert as verifier to verify signatures, such as https://github.com/sigstore/cosign/blob/main/cmd/cosign/cli/verify/verify.go#L239-L268
I might suggest to align with future changes to the Cosign UI and other sigstore libraries, rather than taking in a certificate chain which contains a root & some number of intermediates, take in each of those as separate options. openssl has an example of such, that a root is referred to as "trusted" CA certificates, and intermediates are "untrusted" or chain building CA certificates. In sigstore/cosign#3464, this proposes using ca-roots
and ca-intermediates
, which I think is fine nomenclature.
The benefit of this is that the caller is not responsible for constructing the valid chain, the library is. And if you have a more complex PKI, for example multiple intermediates issued by a root, you don't need to provide multiple chains.