-
**Description**
_This is something I've been marinating on for some time, but was driven to open a tracking issue by https://github.com/sigstore/sigstore/issues/384_
**Problem:** baking in every…
-
**Description**
I've been thinking about private deployments in which consumers will trust artifacts signed in both their private environment and from the public good instance. Currently, clien…
-
I'm not sure whether it's make sense to sign image on the server side, but still wanted to drop an issue to further discuss this.
If I don't want to manage sign stuff in my pipeline or local, we mi…
-
While loading `trusted_root.json` and parsing it, I am trying to verify the `certChain` for Fulcio and the TSA.
According to both the repository and TUF, it looks like the bottom certificate in the…
-
**Question**
I have already used cosign to perform a keyless signature on an image, and now I want to apply it to a Kubernetes cluster with a policy controller, but I am confused about the configur…
-
**Description**
The [documented](https://docs.sigstore.dev/cosign/verify/#local-verifications) x509 certificate verification isn't working as expected. This is broken in two different ways at HEAD …
-
**Description**
See https://github.com/namely/docker-protoc
This solves the issue of a mismatch between the locally installed protoc and the one used to check for updated generated code in t…
-
https://github.com/theupdateframework/taps/pull/141/files
This basically requires two things:
(1) Adding an optional `cert` key-value pair into the signature
(2) Signature verification will inclu…
asraa updated
3 years ago
-
Implementing cosign in the [Pulumi/Pulumi](https://github.com/pulumi/pulumi/releases/tag/v3.50.0) repository shows how much noise it adds to releases, doubling the number of assets published.
Addit…
-
Using the "Publish Docker Container By GitHub Actions" Github action configuration to add the cosign tool and perform container signing
`
# Install the cosign tool except on PR
# ht…