Niels Möller via Sigsum-general sigsum-general@lists.sigsum.org writes:
I can't seem to be able to get around the need for being able to somehow be able to download the checksumed content corresponding to ALL signatures from a particular key.
I think that observation is absolutely right. That publication service is something the project or key holder needs to operate or rely on, separately from the sigsum logging.
Thanks for confirming that, I wasn't certain.
I think there are ways to avoid this, by adding more logic to the log, just like Sigstore has. If it was possible to add a context separator tag to a submission, and that were stored in the log, a monitor could filter for only the relevant context tags.
It is okay if I make a mistake and sign some corrupt tarball: I can explain this situation if I still have the corrupt tarball. But if I run a set of commands to sign some artifact that I accidentally remove, then things are really bad for that key.
To reduce the risk for mistakes, when using your actual release signing key, it makes sense to ensure that the artifact is reliably archived, *before* signing and submitting it to the log. Maybe we can add some features to sigsum-submit to help, e.g., accept both a url and a local file as argument, and ensure that they are identical before signing, or maybe even upload directly with the archival service if we can define the conventions for that.
Yes, I think that this combined functionality would be nice. Since the "no hidden release" property appear to depend so strongly on a workflow that forever only adds signatures for publicly available content, the tools can help to assert that before completing the upload.
I'm thinking something like this:
ssh-add -L > jas.pub sigsum-submit -k jas.pub libidn2-2.3.8.tar.gz sigsum-submit --timeout 30s --diagnostics=debug -p sigsum-policy-20250309.txt --token-signing-key ~/self/sigsum-token-secret-josefsson.org/mykey --token-domain josefsson.org --content-url https://ftp.gnu.org/gnu/libidn/libidn2-2.3.8.tar.gz libidn2-2.3.8.tar.gz.req
The tool should attempt to download the URL and verify that its SHA256 checksum match the 'message' field in the *.req file.
/Simon