-
**Description**
The `TrustedMaterial` interface currently includes these methods:
```go
type TrustedMaterial interface {
TimestampingAuthorities() []CertificateAuthority
FulcioCertificateAuthoriti…
-
**Description**
_Copied from https://sigstore.slack.com/archives/C049ALX6Q83/p1709072587850229_
tl;dr - Sigstore TUF metadata has evolved, but Cosign and Scaffolding are lagging behind. We n…
-
**Is your feature request related to a problem? Please describe.**
We're having a reusable workflow in which we're pulling a base image from ECR from multiple AWS accounts. Passing the credentials to…
-
## Background
Certificate transparency background: RFC6962 supports the distribution of SCTs (log inclusion promises) in three ways: Embedded in a certificate, distributed alongside the certificate…
-
The error message returned when an OCI artifact doesn't have a sigstore manifest should be improved.
# How to reproduce
Attempt the verification of a container image that has not been signed wit…
-
we currently don't verify the cert in the bundle is the same as the one in the rekor entry, we only verify the signatures are the same https://github.com/slsa-framework/slsa-verifier/blob/main/verifie…
-
**Is your feature request related to a problem? Please describe.**
The `private-repository` input is unfortunately named, especially considering that it is a boolean flag. `private-repository: true` …
-
Depends on #372
-
**Description**
sigstore-go [computes the proof of key possession signature over the token's subject](https://github.com/sigstore/sigstore-go/blob/79a4e821ad2deabb34a13b8ae6a271abdc725a6c/pkg/s…
-
disclaimer: I'm one of engineers working on Cirrus CI.
[Cirrus CI](https://cirrus-ci.org/) exposes an OIDC token via `$CIRRUS OIDC_TOKEN` and allows overriding the audience via setting `$CIRRUS_OID…