chore(docs): add ADR proposal for signing and verification of component descriptors#767
Merged
jakobmoellerdev merged 8 commits intoSep 5, 2025
Conversation
…criptors Signed-off-by: Jakob Möller <jakob.moeller@sap.com>
Co-authored-by: Matthias Bruns <github@matthiasbruns.com> Signed-off-by: Jakob Möller <jakob.moeller@sap.com>
- Introduced detailed sections on signing and verifying component descriptors, including new commands for signing stages (`add digest` and `sign` separately). - Updated `RSASSA-PKCS1-V1_5` configuration examples to provide clearer guidance for `signer` and `verifier` usage. - Added support for two-stage signing process to support CI/CD workflows. - Revised Credential Consumer Identity examples to reflect supported configurations. - Improved interface definitions for signing and verification to enforce robust handling of credentials and configurations. These updates enhance user clarity and align implementation with the latest updates. Signed-off-by: Jakob Möller <jakob.moeller@sap.com>
3684fbd to
e0033ba
Compare
…store integration - Updated documentation to rename headings `Basic Signing` and `Basic Verification` for improved clarity. - Added detailed workflows for two-stage signing using `add digest` and `sign` commands. - Introduced new diagrams illustrating signing and verification flows for both `RSASSA-PKCS1-V1_5` and Sigstore. - Expanded `Sigstore` ADR section, including configuration, signing, and verification processes. - Enhanced examples for credential consumer configuration and identity resolution. - Updated command-line usage examples to reflect support for Sigstore-specific signing and verification. These changes provide clearer guidance for using advanced signing and verification features, aligning with modern workflows and expanding support for secure integrations. Signed-off-by: Jakob Möller <jakob.moeller@sap.com>
e0033ba to
a5eacee
Compare
Contributor
|
🤯 |
Skarlso
reviewed
Sep 2, 2025
Skarlso
left a comment
Contributor
There was a problem hiding this comment.
Well done, amazing job with this write-up. I don't have any major concerns but I do have a couple of questions as always. :)
fabianburth
requested changes
Sep 3, 2025
Contributor
|
Well done! Awesome sequence diagrams - they help a lot to understand what's supposed to be going on. Most things are kind of nits. The thing I actually didn't get is where the |
Member
Author
|
|
Contributor
So, we'd have a static list of known signers and would register them under that particular name. That is because we don't expect a particular singing config type to map to exactly one particular handler implementation? |
Member
Author
|
Im guessing you might have a |
- Clarified distinctions between signing, normalization, and digest calculation processes in documentation. - Updated terminology and examples to reflect the transition from `--upload` to `--dry-run=false` for descriptor updates. - Improved interface definitions for signing and verification, ensuring consistency in configuration and credential usage. - Enhanced diagrams with additional flow steps to improve clarity for signing and verification workflows. - Renamed certain headings for better readability and streamlined example YAML configurations. These changes ensure greater clarity and accuracy in the documentation, aligning it with current implementation behavior and conventions. Co-authored-by: Fabian Burth <fabian.burth@sap.com> Co-authored-by: Gergely Brautigam <gergely.brautigam@sap.com> Signed-off-by: Jakob Möller <jakob.moeller@sap.com>
d924c72 to
adac8aa
Compare
- Updated `Sign` and `Verify` interface descriptions to document fallback behavior to environment or implementation defaults. - Corrected `GetVerifyingCredentialConsumerIdentity` comment to properly reflect its usage with `Verify` instead of `Sign`. - Ensured documentation aligns with consistent terminology and intended interface behavior. These updates enhance clarity and provide precise guidance on expected functionality, improving alignment with best practices. Signed-off-by: Jakob Möller <jakob.moeller@sap.com>
adac8aa to
aa5f054
Compare
…cation-handler # Conflicts: # .github/config/wordlist.txt
- Replaced all references of `RSASSA-PKCS1-V1_5` with `RSASSA-PSS` in the documentation. - Updated configuration examples, YAML specifications, and flow diagrams to reflect `RSASSA-PSS` as the new default handler. - Adjusted interface descriptions and command-line usage examples to maintain alignment with the updated signing/verification handler. This change ensures clearer documentation and highlights the transition to the recommended signing algorithm for improved security. Signed-off-by: Jakob Möller <jakob.moeller@sap.com>
Member
Author
|
@Skarlso @fabianburth would need a final review |
Skarlso
approved these changes
Sep 5, 2025
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Continuation of #547 and #599
What this PR does / why we need it
Enable easy interpretation of component descriptors in normalized form and provide a consistent experience for signing and verifying component descriptors.
Which issue(s) this PR fixes
fix open-component-model/ocm-project#579