-
## Description
The `cosign verify-blob` fails to verify a blob using keyless mode (in `COSIGN_EXPERIMENTAL` mode):
```shell
$ cosign verify-blob --verbose --key release-cosign.pub --signature…
-
# The use case
Suppose I have a release workflow that builds reproducible container images, for example using [Bazel](https://github.com/bazel-contrib/rules_oci) or [Nix](https://ryantm.github.io/n…
-
### Describe the bug
If crane.WriteImage uses an already populated cache when writing a cached cosign OCI image it will try to write image layer compressed. Since the image layer is plaintext and sho…
-
**Description**
When I sign a container with this Vault ACL policy `path "gitlab/*" {
capabilities = [ "read", "list", "update" ]
}` that's work
![изображение](https://user-images.githubuse…
-
Erroneous run:
```bash
$ is-archived
INFO[0000] found 'Cargo.toml'
INFO[0000] "" does not match "ocicrypt-rs"
INFO[0003] "" does not match "attestation_agent"
INFO[0004] "sigstore" does not li…
-
### Is your feature request related to a problem? Please describe.
For FedRAMP/NIST compliance the Required Image Signature Pepr policy will need to be created to meet controls.
### Describe the…
-
The SLSA attestation model [1] defines a "statement" as an in-toto attestation, e.g. as "https://in-toto.io/Statement/v1" [2]. This statement contains both the predicate (e.g. "provenance" / "cycloned…
-
**Description**
Basically when we sign the Image using `Cosign` signing tool, then by default, it adds the `rekor-bundle` to an image in form of annotation as a value of a key `dev.sigstore.cos…
-
[cosign](https://github.com/sigstore/cosign) maintained by [sigstore](https://sigstore.dev/) community is a new standard that allows the signature and verification of container images and OCI artifact…
-
**Description**
Based on clusterImagePolicy API, it has options to accept key, keyless authority. Can we also support non-identity based cert as verifier to verify signatures, such as https://githu…