Rasmus Dahlberg via Sigsum-general sigsum-general@lists.sigsum.org writes:
Use the .proof file to verify the Sigsum proof. These files are like signatures with extra transparency: you can cryptographically verify that every proof is logged in a public append-only log, so you can say with confidence what signatures exists. This helps to protect against secret (targetted and/or malicious) releases.
If you want some inspiration for why the above paragraph is true:
https://git.glasklar.is/rgdd/age-release-verify
I'd love to see a similar prototype for your use-case!
Neat!
Could that tool be extended to do the same for arbitrary release proofs, not only 'age'? Maybe call it be 'sigsum-release-verify'?
Could this functionality be built into 'sigsum-verify'?
Or could the functionality of 'sigsum-verify' be built into 'sigsum-release-verify'?
Having a small dedicated purpose tool similar to 'gpgv' but doing Sigsum signature verification against some trust policy and/or checking for hidden releases would be good for release announcement instructions.
It would be nice if users doesn't have to run two separate tools to do these checks, if they can be done quickly at the same time.
I suppose checking for hidden releases is an online operation?
Bonus points for a python or C client too :)
/Simon