Remove conditional use of bouncy castle #144
Conversation
…l jdk versions Signed-off-by: Patrick Flynn <patrick@chainguard.dev>
|
Just wondering: can tuf be located in its own module? E.g.:
|
Signed-off-by: Patrick Flynn <patrick@chainguard.dev>
|
I think it could be eventually. Currently it's very much a sigstore specific implementation. |
Signed-off-by: Patrick Flynn <patrick@chainguard.dev>
|
@vlsi just to be more clear to your question. I have no objection to breaking them out as modules. I'm not in any personal rush to do it. :) |
Well, I see what you mean. On the other hand, it might be useful to have "offline-no-dependency-verifier" module :) |
|
Oh do you mean an offline signature verification mode?
…On Mon, Sep 12, 2022 at 8:50 AM Vladimir Sitnikov ***@***.***> wrote:
I have no objection to breaking them out as modules. I'm not in any
personal rush to do it. :)
Well, I see what you mean.
On the other hand, it might be useful to have
"offline-no-dependency-verifier" module :)
—
Reply to this email directly, view it on GitHub
<#144 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AB37SHJHGU4V7QNMFSWEY33V54RI3ANCNFSM6AAAAAAQKMSDCM>
.
You are receiving this because you modified the open/close state.Message
ID: ***@***.***>
|
Exactly. |
|
I guess it depends on the use-case and just how off-line we want to be. I think we want verification to not generate any rekor traffic by default, but that still requires parsing and verifying the signing bundle and tuf metadata. It'd be a really good idea to specify an offline flow but that will be a lot easier to do after the new bundle spec lands and after we've added the TUF root data to the rekor entry. |
TUF code requires Bouncy Castle in all jdk versions
Signed-off-by: Patrick Flynn patrick@chainguard.dev