Option to substitute signing algorithm to a custom version #210
Comments
|
We've discussed making the in-toto specification more agnostic to the signing key algorithms, mechanisms, and so on. Inherently, there's nothing locking us into one algorithm / mechanism or another, it's all a question of support. Do you have any thoughts on how to use other binaries for signing, and how to ensure compatibility with other in-toto implementations which may verify the resulting metadata? For the former, we could look to git, for example, but the second question makes it difficult IMO. |
|
maybe you consider for entropy checking the following code: https://github.com/kzahedi/goent License should not be a problem: https://opensource.stackexchange.com/questions/11640/can-mit-and-apache-licenses-be-used-together |
|
possible generic rust cli for integrating: cargo install sha3sum |
Description of the feature request:
Are there any plans to add an option that a custom binary for the signing could be used?
The reason I'm asking this is because for security reasons we would like to replace the signing performed by a Rust implementation. Additionally we would like to add entropy checks before the signing.
Moreover, in case that in the future algorithms that are used will be considered as weak/unsafe it would be great to have the described feature to easily substitute to stronger algorithms.
The text was updated successfully, but these errors were encountered: