I'm attempting to design a JWS-JS-inspired format into a code signing
mechanism for Python wheel files. It works. The payload just includes
a hash of a manifest that in turn includes the hash of all the other
files in the archive, and the signatures always include the full
verifying key for the Ed25519 system in the header, like so. I like
it, but want a place to include information about the signature itself
(when was this signature added?) apart from the single payload. I see
there is some discussion of split headers that may provide it.
That's all. I really like the spec so far.
Daniel Holth
{'alg': 'Ed25519',
'key': {'alg': 'Ed25519',
'vk': u'dSUK9K1lSClpgCrtjTpywL3o-TfyCHQsD4xC6ey1GH4'},
'typ': 'JWT'}
{'hash': 'sha256=N7if_qZx7EVe4hN72ajBrWZ5Gwqs74nkK1vWLGTQTFY'}
{"headers":
["eyJhbGciOiAiRWQyNTUxOSIsICJrZXkiOiB7ImFsZyI6ICJFZDI1NTE5IiwgInZrIjogImRTVUs5SzFsU0NscGdDcnRqVHB5d0wzby1UZnlDSFFzRDR4QzZleTFHSDQifSwgInR5cCI6ICJKV1QifQ"],
"payload":
"eyJoYXNoIjogInNoYTI1Nj1ON2lmX3FaeDdFVmU0aE43MmFqQnJXWjVHd3FzNzRua0sxdldMR1RRVEZZIn0",
"signatures":
["KFt27VW2tM5Q637Mu4kyfqBRrxzJ9MRZ6O7ax8lSnKuVLMGG6bcNKkLqombv12bUV-8I-n-SlQfaGlSqnn_xAw"]}
_______________________________________________
jose mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/jose
