Skip to content

Remove sign/verify stubs in favor of cosign CLI #83

Description

@jpower432

Summary

The sign() and verify() functions in pkg/complypack/ are stubs that return "not yet implemented." Rather than finishing these, signing should use cosign sign in CI after oras push -- the standard tool for signing OCI artifacts, already used for release binaries.

Verification is moving to complyctl (the consumer side), where it applies to both Gemara policy bundles and complypacks via sigstore-go.

What to remove

  • sign.go and sign_test.go
  • verify.go and verify_test.go
  • WithSigning(), WithKeylessSigning() and signing fields from packOptions in options.go
  • WithVerification(), WithKeylessVerification() and verification fields from unpackOptions in options.go
  • sign() call in Pack() (pack.go:106)
  • verify() call in Unpack() (unpack.go:48)
  • ErrSigningFailed and ErrVerificationFailed from errors.go

complypack becomes a pure pack/unpack library. No trust decisions.

Context

Metadata

Metadata

Assignees

No one assigned

    Labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    Status
    Backlog

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions