-
Fix [this](https://github.com/awslabs/tough/issues/771) upstream issue inside of tough to prevent sigstore-rs from going completely broken in the near future as described by [this sigstore-rs](https:/…
-
`sigstore.hashes` only contains a single API, which is a data model. It should probably be in `sigstore.models` instead.
This would be a breaking change, since it's an API rename. So we'd either ne…
-
I managed to use a github action to include the sigstore file in a release:
https://github.com/SecuringCarter/opentelemetry-python/releases/tag/6
Is this what we want to do with the sigstore fil…
-
As a developer I would like to have the ability to sign the binaries I release.
This could be done using [sigstore](https://github.com/sigstore) as they provide a fantastic keyless signing ecosyste…
-
Currently, sigstore-java rebuilds `sigstore/protobuf-specs` every time which seems wasteful, and it makes imports like `import dev.sigstore.proto.` invalid on the first project import.
We should us…
-
The API should support custom roots. For Fulcio and Rekor, we need
1. tuf root
2. a URL to update the root (if not already present in the tuf root data of (1))
@haydentherapper please keep me hon…
-
### Problem Statement
Sigstore's documentation is primarily focused on developer signing, which is misaligned with Sigstore's MVSR and adoption strategy, automated signing through CI providers/trus…
-
**Description**
Policy-Controller currently supports verification of attestations/signatures generated using `cosign sign`/`cosign attest`, which attach signatures/attestations using the process desc…
-
When a `ClusterImagePolicy` is set on a scope to accept sigstore signatures, the underlying registry needs to be configured with `use-sigstore-attachments: true`. https://github.com/openshift/machine-…
-
### Is your feature request related to a problem? Please describe.
As Kay I want to have Sigstore integrated with Keycloak so that I can sign images, git commits and more without needing to manage …