Simon Josefsson simon@josefsson.org writes:
I believe you can still provide a builtin default-policy, if you want to, by including a default trust policy together with sigsum-verify, and have the installation process put that in the right place so the tool finds it automatically.
If the install process is `go install sigsum.org/sigsum-go@vx.y.z` I don't think there's any way to get auxilliary files installed?
One could potentially embed the data (or hash of data + url) in some executable, but not use that directly. But have users do something like `go run sigsum.org/sigsum-go/cmd/sigsum-install@vx.y.z ...` to install default policies somewhere in /etc or $HOME, depending on privileges and command line arguments.
Or we could try to discourage this way of using te go tools to isntall sigsum (and instead advertise some method that verifies our release signatures), but I suspect that will be a bit futile.
Regards, /Niels