Summary
The sign() and verify() functions in pkg/complypack/ are stubs that return "not yet implemented." Rather than finishing these, signing should use cosign sign in CI after oras push -- the standard tool for signing OCI artifacts, already used for release binaries.
Verification is moving to complyctl (the consumer side), where it applies to both Gemara policy bundles and complypacks via sigstore-go.
What to remove
sign.go and sign_test.go
verify.go and verify_test.go
WithSigning(), WithKeylessSigning() and signing fields from packOptions in options.go
WithVerification(), WithKeylessVerification() and verification fields from unpackOptions in options.go
sign() call in Pack() (pack.go:106)
verify() call in Unpack() (unpack.go:48)
ErrSigningFailed and ErrVerificationFailed from errors.go
complypack becomes a pure pack/unpack library. No trust decisions.
Context
Summary
The
sign()andverify()functions inpkg/complypack/are stubs that return "not yet implemented." Rather than finishing these, signing should usecosign signin CI afteroras push-- the standard tool for signing OCI artifacts, already used for release binaries.Verification is moving to complyctl (the consumer side), where it applies to both Gemara policy bundles and complypacks via sigstore-go.
What to remove
sign.goandsign_test.goverify.goandverify_test.goWithSigning(),WithKeylessSigning()and signing fields frompackOptionsinoptions.goWithVerification(),WithKeylessVerification()and verification fields fromunpackOptionsinoptions.gosign()call inPack()(pack.go:106)verify()call inUnpack()(unpack.go:48)ErrSigningFailedandErrVerificationFailedfromerrors.gocomplypack becomes a pure pack/unpack library. No trust decisions.
Context
getpulls policy bundles without verifying signatures (THR02 mitigation gap) complyctl#607 is the original THR02 mitigation gap issue