Policy bundle JWS detached payload signing
Closes #37 (closed)
Implementation details
The policy bundle is a ZIP file archive containing all policy related files and metadata.
To sign the bundle, we use the signer service
to produce the signature on the policy bundle zip file, by making a small adapter that satisfies the
jws.Signer
interface of the lestrrat jws library. The signing
is done using the unencoded payload option
(detached payload) from the
JWS RFC7797.
The signature is kept as a separate file which is not inserted inside the policy_bundle.zip
file,
because that would change the file itself. Instead both the original zip file + signature file are
wrapped in another ZIP archive which is sent to the client making the policy export. That means
the client will receive a ZIP file containing the policy bundle ZIP and a JWS signature file.