-
There are a number of places where users must ask "does this signature come from X?" where X is an "identity." This is actually non-trivial to get right: you can't just ask for `user@example.com` beca…
-
**Description:**
Verify sigstore signatures of python releases at https://github.com/actions/python-versions
[Python releases are signed via Sigstore ](https://www.python.org/download/sigs…
-
Captured from PRs
- [x] Writes to quay.io currently (Oct 13 2022) fail with HTTP status 500
- [ ] Unit tests for #1595 , at least the config file handling
- [ ] Unit tests for #1597
- [ ] Unit t…
-
**Description**
Tracking issue to add the new client signing configuration described in https://github.com/sigstore/protobuf-specs/pull/277 for the next root/target signing
cc @kommendorkapt…
-
Right now a typical OIDC Issuer config would look like this:
`
"https://keycloak.local/sigstore-realm": {
"IssuerURL": "https://key cloak.local/sigstore-realm",
…
-
The windows exe gets flagged by AV, it looks like the code isn't signed.
I don't know too much about this, but perhaps something like https://www.sigstore.dev/ could help out with this.
-
Checkout https://www.csoonline.com/article/3662782/sigstore-explained-how-it-helps-secure-the-software-supply-chain.html to know what Sigstore is and why it's important to use it.
For Maven, Sonaty…
-
**Description**
We should support returning a response formatted as a `TransparencyLogEntry` (TLE) per the specification. This will be used by Sigstore clients who currently have to transform t…
-
https://opentimestamps.org/ is an interesting project that enables to create timestamp proofs.
The idea is it can hash a file (or git commit or whatever) and put hash to the blockchain.
Since bloc…
-
**Description**
These branches are protected, so we don't have access to delete them yet. Investigate what to do about settings, particulary for test-* branches.