-
Notifications
You must be signed in to change notification settings - Fork 51
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Request to support signing using AWS KMS keys #334
Comments
FYI: The crypto interface used by the Python in-toto implementation provides an AWSSigner: https://github.com/secure-systems-lab/securesystemslib/blob/main/securesystemslib/signer/_aws_signer.py Maybe this could be ported to go. Here are some additional infos about the Signer API: https://python-securesystemslib.readthedocs.io/en/latest/signer.html |
@lukpueh hmm, so does that mean writing different implementations of signing the payload, and storing a field, |
@adityasaky yes I was also wondering if witness AWS KMS support would be added to in-toto-golang. |
Yes.
No. I haven't looked at the dsse implementation in in-toto-golang in detail, but the following design worked well for us on the Python side:
IIRC go-securesystemslib has a similar design. |
Hey @semmet95! 👋 With respect to your question:
|
Hi @adityasaky I'm wondering if you guys have any timeline regarding consolidating in-toto-golang's functionality into witness 🤔 |
Hi,
I'm currently using
in-toto-golang
to generate an attested dsse envelope, signing it with a locally generated key. I'd like to sign the envelope using a key stored in AWS KMS.From what I could figure out this would probably require using aws sdk, kms client to be more specific.
I'm not completely sure on how to add this feature, if someone can guide me I'll be happy to contribute.
If anyone knows a workaround on how I can use KMS keys with
in-toto-golang
I'd love to know that too.The text was updated successfully, but these errors were encountered: