Description
Our current signing and verification documentation is restricted purely to plain RSA signatures without PEM information. https://ocm.software/docs/tutorials/sign-and-verify-components/
We have PEM encoding available in via https://github.com/open-component-model/open-component-model/blob/main/bindings/go/rsa/signing/v1alpha1/encoding_policy_pem.go
As a User I want to use the OCM Cli to be able to
- sign component versions with a private key derived from a certificate that has a trust root / intermediary
- verify component versions with a CA that was used to create the signature, optionally including an issuer field.
I want to be able to choose if I want to encode just the leaf certificate or the intermediary chain in the component version. I want to be able to provide both self signed root CAs or intermediary CAs in my credential graph configuration that then get resolved against my system trust root.
Source: This comes from Platform Mesh since they want to sign the platform mesh components with a key that is based on a trust root CA that is distributable.
Done Criteria
Description
Our current signing and verification documentation is restricted purely to plain RSA signatures without PEM information. https://ocm.software/docs/tutorials/sign-and-verify-components/
We have PEM encoding available in via https://github.com/open-component-model/open-component-model/blob/main/bindings/go/rsa/signing/v1alpha1/encoding_policy_pem.go
As a User I want to use the OCM Cli to be able to
I want to be able to choose if I want to encode just the leaf certificate or the intermediary chain in the component version. I want to be able to provide both self signed root CAs or intermediary CAs in my credential graph configuration that then get resolved against my system trust root.
Source: This comes from Platform Mesh since they want to sign the platform mesh components with a key that is based on a trust root CA that is distributable.
Done Criteria