-
Hi,
Starting with 8.8.0, the Elastic images are now [signed with Cosign Sigstore](https://www.elastic.co/guide/en/elasticsearch/reference/8.8/docker.html#docker-verify-signature) as you can see bel…
-
Ensure/implement that Minder has support for provenance information stored in an OCI registry that uses the bundle format (currently it's only `simplesigning`).
References:
- https://github.com/si…
-
**Description**
_Copied from https://sigstore.slack.com/archives/C049ALX6Q83/p1709072587850229_
tl;dr - Sigstore TUF metadata has evolved, but Cosign and Scaffolding are lagging behind. We n…
-
Some personalities want to delay returning from calls to their `Add` API until the provided entry is integrated into the tree (e.g. Sigstore does this currently).
Tessera's `Add` function returns a…
-
### Problem Statement
Verify image rules are currently in beta for sometime. Since then several features have been added and the approach have been refined. We have gotten to the point where we shoul…
-
**Description**
In the quick start there is a dead slack invite at the top of the page (https://docs.sigstore.dev/signing/quickstart/). It should be updated.
-
**Description**
https://github.com/sigstore/sigstore-go/pull/47 and https://github.com/sigstore/sigstore-go/pull/45 introduce skipping log and TSA signatures respectively that the trust bundle …
-
**Is your feature request related to a problem? Please describe.**
We (@open-telemetry/sig-security-maintainers) are evaluating adopting sigstore (including cosign) for signing our artifacts, includi…
-
We have a private repository but distribute our binaries publicly.
We would like for people to be able to validate the attestations of these binaries via the public good sigstore instances. There d…
-
The protocol buffer files in this repo are annotated with [AIP-203 field behavior annotations](https://google.aip.dev/203), denoting fields that are marked as required. These annotations are not gener…