diff --git a/peps/pep-0761.rst b/peps/pep-0761.rst index 49808fbcf..36825a9e6 100644 --- a/peps/pep-0761.rst +++ b/peps/pep-0761.rst @@ -207,9 +207,57 @@ During the `pre-PEP discussion `_. -When in offline mode, Sigstore can't verify whether a signature has been -revoked. This is a similar restriction to PGP key revocations not being -detectable during offline verification. + +Using offline verification with Sigstore requires disabling root of trust +updates and "pinning" a root of trust in a file to use during verification. + +Pinning a root of trust means signatures made after a *new* root of trust +is established would no longer be able to verify using a "pinned" previous +root of trust. New roots of trust are expected to be rare events, such as +when the root of trust is compromised, and in this case verifiers would +want signatures to fail to verify. + +Offline verification also makes revocation checks impossible, but this +is similar to PGP's model where revocation of keys requires an online lookup. + +Barring rare events like root of trust compromise, using offline verification +with Sigstore doesn't impose additional operations requirements to verifiers. + +Support for a pre-compiled executable for verification +------------------------------------------------------ + +During discussion there were requests for a pre-compiled executable that could +be used for verifying Sigstore bundles without needing to either install +a Go build toolchain to build `sigstore-go `_ +from source or already have a working Python installation for +`sigstore-python `_. + +`Cosign `_ is another Sigstore project +that provides pre-compiled standalone binaries and supports verifying bundles +offline: + +.. code-block:: + + # Download Cosign + wget https://github.com/sigstore/cosign/releases/download/v2.4.1/cosign-linux-amd64 + + # For offline verification, also need the Root of Trust. Can be grabbed + # from GitHub at: https://github.com/sigstore/root-signing/blob/main/targets/trusted_root.json + wget https://raw.githubusercontent.com/sigstore/root-signing/refs/heads/main/targets/trusted_root.json + + # Download CPython artifacts + wget https://www.python.org/ftp/python/3.13.0/Python-3.13.0.tgz + wget https://www.python.org/ftp/python/3.13.0/Python-3.13.0.tgz.sigstore + + ./cosign-linux-amd64 verify-blob \ + --new-bundle-format \ + --certificate-oidc-issuer 'https://accounts.google.com' \ + --certificate-identity 'thomas@python.org' \ + --bundle ./Python-3.13.0.tgz.sigstore \ + # --offline and --trust-root optional for offline verification + --offline \ + --trust-root ./trusted_root.json \ + ./Python-3.13.0.tgz Copyright =========