-
**Description**
Tracking bug for https://github.com/sigstore/sigstore-go/blob/main/pkg/verify/tlog.go#L174
This is not absolutely necessary because we do already compare against the [signatu…
-
There's currently an RFC open on improving the npm ecosystem's security by signing packages using sigstore. I'd like to suggest that semantic-release opt into this functionality whenever npm finalizes…
-
Add https://issuer.hello.coop as an OIDC Identity Provider for sigstore
For details on Hellō see https://hello.coop/ & https://hello.dev/
-
**Description**
Currently, sigstore-java is all-in-one, so users can't select the bits they need, and the dependency surface might become an issue.
For instance, generating Sigstore Bundle requi…
-
A friend reported that the hamburger menu is "hidden" on a pixel and you have to scroll right to see it:
![image](https://user-images.githubusercontent.com/228135/157922819-64c6f312-ea14-44c5-9ef6-98…
-
At the moment we use cosign to sign our payload. Cosign brings in a lot of dependencies.
We could replace it with something like this https://github.com/slsa-framework/slsa-github-generator/blob/c…
-
GitHub now has full support for Artifact Attestations: https://github.blog/changelog/2024-06-25-artifact-attestations-is-generally-available/
The feature supersedes our usage of SigStore (#156), si…
-
**Description**
Different parts of code use different libraries for JSON canonicalization.
**Examples:**
https://github.com/sigstore/sigstore-rs/blob/d5ba303182318495a081d1c4ad50d5c27be015cc/…
-
Occasionally, we hit 'error updating to TUF remote mirror' when calling cosign verify.
The error looks like a connection error from our server, but when I try to open the https://tuf-repo-cdn.sigst…
-
As seen in https://tuf-repo-cdn.sigstore.dev/targets.json the targets.json can contain a `custom` field for holding additional data about the target.
```json
{
"signed":{
"_type":"targ…