Simon Josefsson via Sigsum-general sigsum-general@lists.sigsum.org writes:
This is designed on a per-user/key perspective rather than per-project perspective. I'm not sure how a monitor for a single project with releases signed by multiple people would look like, since those people could also sign other unrelated artifacts.
There may be other ways, but I think this case needs an additional level of indirection.
The key owner would need to sign and publish claims, where at a minimum a claim is some machine-readable statement like "the artifact with sha256 hash xxx is an official artifact of the foo project". The key owner would sign such claims, and submit them to the log. And in addition, publish then in a way so that they can be retrieved by hash.
A monitor enumerates signatures of interest, retrieves each corresponding claim, and can then do further verification of claims about projects of interest to the monitor.
On the verifier side, one would need the artifact itself, the claim, and the sigsum proof for that claim. Which gets a bit more unwieldy. If we want to stick to the verifier story that it's an artifact with a "spicy signature", that means that we need to start thinking about bundling claim + proof. Defining a machine-readable claim format might be a can of worms, but I think it can be an important improvement over the current state where the closest thing we have to a claim is the filename of the signed artifact, for which the authenticity story is rather weak.
Regards, /Niels