-
Sometimes we will want to validate on a public key, rather than the [SAN](https://github.com/seedwing-io/seedwing-policy/blob/main/seedwing-policy-server/policy/mycorp/policies.dog#L89) in an x509 cer…
-
## Expected Behavior
Gradle should be able to sign and verify artifact signatures.
Of course, it would take time to migrate off PGP for Maven Central, however, having off the shelf sigstore suppor…
vlsi updated
3 months ago
-
**Description**
[Key-based verification](https://github.com/sigstore/sigstore-rs/tree/main/examples/verify#key-based-verification) [uses the TUF root](https://sigstore.slack.com/archives/C022FBCBPT…
-
**Description**
Gitpod is an automated workspace solution currently trying to [sign all of the commits that its users make](https://github.com/gitpod-io/gitpod/issues/666) automatically using sigst…
-
**Description**
See also https://github.blog/changelog/2023-01-10-github-actions-openid-connect-token-now-supports-more-claims-for-configuring-granular-cloud-access/
Recently, GitHub announced t…
-
**Description**
We support some integrations with cloud providers, but they aren't really listed anywhere. Things like KMS, CA APIs, and keyless/oidc support bridge across individual tools (fulcio/…
-
**Description**
I am not sure if this is a bug or a documentation problem. I'm leaving this here as I imagine that anyone deploying these days probably has the same issue.
I deployed scaffold …
-
> For future improvements these are the things I think we should address:
>
> - appending signature to transparency log is the default in v2 (where it was only done for keyless in v1) and…
-
**Description**
When trying to use AWS KMS to sign my certs in fulcsio using `awskms://[endpoint]/[arn]` it took me ages to realize that the endpoint was optional, but the trailing `/` was not. It'…
-
To avoid re-implementing `VerifyAttestation` signatures: see https://github.com/slsa-framework/slsa-verifier/pull/202/files#r948431748