From cbb7f3f0b43fe253e397f283f4b4f32081ab1a32 Mon Sep 17 00:00:00 2001 From: Colleen Murphy Date: Wed, 13 Dec 2023 14:30:56 -0800 Subject: [PATCH 1/2] Fix typos in overview Signed-off-by: Colleen Murphy --- content/en/about/overview.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/content/en/about/overview.md b/content/en/about/overview.md index d1da7c12..541575e8 100644 --- a/content/en/about/overview.md +++ b/content/en/about/overview.md @@ -50,11 +50,11 @@ A Sigstore client, such as Cosign, requests a certificate from our code-signing You don’t have to manage signing keys, and Sigstore services never obtain your private key. The public key that a Sigstore client creates gets bound to the issued certificate, and the private key is discarded after a single signing. -After the client signs the artifact, the artifact's digest, signature and certificate are persisted in a transparency log: an immutable, append-only ledger known as Rekor. With this log, signing events can be publicly audited. Identity owners can monitor the log to verify that their identity is being properly used, and someone who downloads and artifact can confirm that the certificate was valid at the time of signing. +After the client signs the artifact, the artifact's digest, signature and certificate are persisted in a transparency log: an immutable, append-only ledger known as Rekor. With this log, signing events can be publicly audited. Identity owners can monitor the log to verify that their identity is being properly used, and someone who downloads an artifact can confirm that the certificate was valid at the time of signing. For verifying an artifact, a Sigstore client will verify the signature on the artifact using the public key from the certificate, verify the identity in the certificate matches an expected identity, verify the certificate's signature using Sigstore's root of trust, and verify proof of inclusion in Rekor. Together, verification of this information tells the user that the artifact comes from its expected source and has not been tampered with after its creation. -For more information on the modules that make up Sigstore, review [Toolling]({{< relref "about/tooling">}}). +For more information on the modules that make up Sigstore, review [Tooling]({{< relref "about/tooling">}}). ## How to use Sigstore From 3181f098b8d4e0d953428b9dccb5db64796f5c0f Mon Sep 17 00:00:00 2001 From: Colleen Murphy Date: Wed, 13 Dec 2023 14:31:39 -0800 Subject: [PATCH 2/2] Add back descriptive content on cert issuing As part of doc enhancements in b57dc161, the description in step 7 was removed. Although the final step is simple and the diagram and section header are clear, it is jarring for the final step to be inconsistent with the others by having no text body. It is moreover unfriendly to screen readers since there is no context for the diagram. This change adds the brief description back for the sake of readability. Signed-off-by: Colleen Murphy --- .../en/certificate_authority/certificate-issuing-overview.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/content/en/certificate_authority/certificate-issuing-overview.md b/content/en/certificate_authority/certificate-issuing-overview.md index 3576bf25..00696b11 100644 --- a/content/en/certificate_authority/certificate-issuing-overview.md +++ b/content/en/certificate_authority/certificate-issuing-overview.md @@ -113,4 +113,6 @@ See [Certificate Transparency Log Information](https://github.com/sigstore/fulci ## 7 — Return certificate to client +Finally, the certificate and SCT are both returned to the client. + ![Fulcio return the certificate to the client](/fulcio-7-return-to-client.png)