Sign with a passkey signature

[gedw99]

Question

I use passkeys to identify orgs and users when they sign in to a golang system that I am working on .

the system produces artifacts into their GitHub or other git servers . These are binaries , WASM , text files.

I plan to produce an SBOM of these artefacts also as an artefact.

Others users can then use those artefacts at runtime in the system.

so I was wondering about using the passkey signature to sign their artefacts.

WASM is the main thing that is run by third parties , because it gives a measure of security ssndboxing . But the binaries also .

I plan to team this up with fish food , which is a golang package distribution system and make it real time with a pub sub overlay system.

https://github.com/tinned-fish/gofish

the core binaries that run the passkeys would need to be motorised by Apple and Microsoft in order for them to run on devs and users systems. I was thinking of doing Notorisstion and then co-signing in a 2 steps process . But have no idea if this is workable .

would appreciate feedback :)

[gedw99]

I can also use nats nkrys Ed25519 since my core auth system is based on nats .

https://github.com/nats-io/jwt

Since cosign is able to mint self managed keys here , https://docs.sigstore.dev/key_management/signing_with_self-managed_keys/, it looks like I could use this approach flow:

Users passkey , then store passkey signature in nats , then create a nats user , then create a jwt and a cosign key … then sign any artefacts this users produces.

it’s a chain of trust that flows bs into the users passkey that is stored in their Tom chip . Yubikeys also .