Skip to content

Check validity of applicable TP and TS before fetching signatures from registry.  #790

@priteshbandi

Description

@priteshbandi

Context: #771 (comment)
Currently signature verification process in Notation, involves fetching the signature and subsequently validating the trust store's vakidity. However, this method has the following concerns:

  1. The error messages provided to users in case of verification failure are not very user-friendly. (Refer to the link above for examples)
  2. If either the Trust Store (TS) or Trust Policy (TP) is malformed, signature validation will always fail. This renders the fetching and validation of signatures unnecessary. Essentially, we're advocating for fast fail.

Ambiguous Specification
Presently, there exists specifications that introduces a conflicting requirement. In one instance, we state that before commencing signature verification, both the TS and TP should be valid, while in other, this is not explicitly emphasized.

Recommended Solution

  1. Amend the specification to state: "User has configured a valid trust store and trust policy."
  2. Make a code change to validate the relevant TS and TP before obtaining the signature. Here, 'relevant' refers to the TP and TS identified for a specific scope.

Metadata

Metadata

Assignees

No one assigned

    Labels

    bugSomething isn't workingerror messageIssues related to error message improvementhelp wantedNeed contributors to helpperfPerformance related issues

    Type

    No type

    Projects

    Status

    Todo

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions