Client libraries should verify after signing

[znewman01]

In the Sigstore clients special interest group meeting today, we discussed an issue with the release signatures on CPython.

We have two recommendations for client libraries:

1. After signing, the clients MUST verify the signature (see Sigstore client spec). 2.
2. Client library interfaces SHOULD allow callers to specify an identity (and other verification parameters) to use for this verification.

I'm going to be a bit lazy (sorry) and rather than inspecting every client library by hand, just ask whether you're doing the these and, if not, whether you all agree with these recommendations.

[flavio]

Thanks for having reached out. We do not perform a verification after the signature is created.

The question is, should this be done inside of the low-level library (like sigstore-rs) or should this be done by the author of a 3rd party sigstore client that is built with Rust and sigstore-rs?

To be more concrete. Let's image the use case of extending cargo so that when publishing a crate the developer can also sign the release using sigstore. Should the verification be done inside of the cargo codebase or should it be done by sigstore-rs when some parameters are given to the "create signature" API?

I see pros and cons with both approaches. Is there some consensus among the other libraries implementing the sigstore spec?