Skip to content

Commit 21dae08

Browse files
oejoej
committed
Signature: Lint fixes
Signed-off-by: Olle E. Johansson <[email protected]>
1 parent 010a35f commit 21dae08

File tree

1 file changed

+9
-12
lines changed

1 file changed

+9
-12
lines changed

signatures/signature.md

Lines changed: 9 additions & 12 deletions
Original file line numberDiff line numberDiff line change
@@ -8,15 +8,14 @@ signature files.
88

99
- __Integrity__: Documents dowloaded needs to be the same
1010
as documents published
11-
- __Identity__:
12-
- Customers needs to be able to verify the
11+
- __Identity__:
12+
- Customers need to be able to verify the
1313
publisher of the documents and verify that it is
1414
the expected publisher.
1515
- A TEA server may want to verify that published
1616
documents are signed by the expected publisher
1717
and that signatures are valid.
1818

19-
2019
In order to sign, a pair of asymmetric keys will be needed.
2120
The public key is used to create a certificate, signed
2221
by a certificate authority (CA).
@@ -27,7 +26,7 @@ parties do not automatically trust that internal PKI.
2726

2827
This document outlines a proposal on how to build that trust and
2928
make it possible for publishers to use an internal PKI. It is
30-
of course important that this PKI is maintained according to
29+
of course important that this PKI is maintained according to
3130
best current practise.
3231

3332
## API trust
@@ -59,13 +58,13 @@ that would cause a chicken-and-egg problem.
5958
## Digital signatures
6059

6160
### Digital signatures as specified for CycloneDX
61+
6262
"Digital signatures may be applied to a BOM or to an assembly within a BOM.
6363
CycloneDX supports XML Signature, JSON Web Signature (JWS), and JSON Signature Format (JSF).
6464
Signed BOMs benefit by providing advanced integrity and non-repudiation capabilities."
65-
https://cyclonedx.org/use-cases/#authenticity
66-
65+
<https://cyclonedx.org/use-cases/#authenticity>
6766

68-
### External (deattached) digital signatures for other documents
67+
### External (detached) digital signatures for other documents
6968

7069
- indication of hash algorithm
7170
- indicator of cert used
@@ -76,7 +75,7 @@ https://cyclonedx.org/use-cases/#authenticity
7675
## Using Sigstore for signing
7776

7877
Sigstore is an excellent free service for both signing of GIT commits as well
79-
as artefacts by using ephemeral certificates (very shortlived) and a
78+
as artefacts by using ephemeral certificates (very shortlived) and a
8079
certificate transparency log for validation and verification.
8180
Sigstore signatures contain timestamps from a timestamping service.
8281

@@ -96,13 +95,11 @@ Sigstore signatures contain timestamps from a timestamping service.
9695

9796
### DNS entry
9897

99-
100-
10198
## References
10299

103100
- IETF RFC DANE
104101
- IETF DANCE architecture (IETF draft)
105102
- IETF Digital signature
106-
- JSON web signatures (JWS) - https://datatracker.ietf.org/doc/html/rfc7515
107-
- JSON signature format (JSF) - https://cyberphone.github.io/doc/security/jsf.html
103+
- JSON web signatures (JWS) - <https://datatracker.ietf.org/doc/html/rfc7515>
104+
- JSON signature format (JSF) - <https://cyberphone.github.io/doc/security/jsf.html>
108105
- [IETF Enrollment over Secure Transport (EST) RFC 7030](https://www.rfc-editor.org/rfc/rfc7030)

0 commit comments

Comments
 (0)