Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Option to substitute signing algorithm to a custom version #210

Open
anotherbridge opened this issue Feb 23, 2023 · 3 comments
Open

Option to substitute signing algorithm to a custom version #210

anotherbridge opened this issue Feb 23, 2023 · 3 comments
Labels
enhancement New feature or request

Comments

@anotherbridge
Copy link

Description of the feature request:

Are there any plans to add an option that a custom binary for the signing could be used?

The reason I'm asking this is because for security reasons we would like to replace the signing performed by a Rust implementation. Additionally we would like to add entropy checks before the signing.
Moreover, in case that in the future algorithms that are used will be considered as weak/unsafe it would be great to have the described feature to easily substitute to stronger algorithms.

@anotherbridge anotherbridge added the enhancement New feature or request label Feb 23, 2023
@adityasaky
Copy link
Member

We've discussed making the in-toto specification more agnostic to the signing key algorithms, mechanisms, and so on. Inherently, there's nothing locking us into one algorithm / mechanism or another, it's all a question of support. Do you have any thoughts on how to use other binaries for signing, and how to ensure compatibility with other in-toto implementations which may verify the resulting metadata? For the former, we could look to git, for example, but the second question makes it difficult IMO.

@Pierre-Gronau-ndaal
Copy link

maybe you consider for entropy checking the following code:

https://github.com/kzahedi/goent
GitHub - kzahedi/goent: GO Implementation of Entropy Measures

License should not be a problem:

https://opensource.stackexchange.com/questions/11640/can-mit-and-apache-licenses-be-used-together
Can MIT and Apache licenses be used together? - Open Source Stack Exchange

@Pierre-Gronau-ndaal
Copy link

possible generic rust cli for integrating:

cargo install sha3sum
cargo install b3sum
cargo install k12sum

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
enhancement New feature or request
Projects
None yet
Development

No branches or pull requests

3 participants