-
Use Sigstore to sign build artifacts generated in CI, providing provenance for release artifacts and runtime assets. This is essentially a tamper-proof way of verifying that an artifact was actually b…
-
This issue aims to integrate [Sigstore](https://docs.sigstore.dev) support into the in-toto-jenkins plugin.
**Description**
Currently, the In-toto Jenkins plugin requires users to provide either …
-
This is a proposal for v1 release.
Scope: support sigstore for path only (no in-memory path support). This requires to implement only a subset of https://github.com/sigstore/model-transparency/issues…
-
When we apply sigstore-gradle-sign-plugin in build logic the `sigstoreClientClasspath` always wants to use the project dependency instead of the expected sigstore-java dependency of the plugin.
```…
-
**Description**
Some use-cases involve standing up a private instance of the Sigstore stack as users do not want to upload private data to the public good instance (PGI). For these cases, we need t…
-
**Description**
There are three places we compare certificates against SET or TSA timestamps:
* We aggregate all timestamps from SETs and TSAs and verify the certificate with https://github.…
-
Captured from PRs
* [ ] Integration tests for https://github.com/containers/image/pull/1595
* [ ] Integration tests for https://github.com/containers/image/pull/1597
* [ ] Integration tests fo…
-
### Community Note
* Please vote on this issue by adding a 👍 [reaction](https://blog.github.com/2016-03-10-add-reactions-to-pull-requests-issues-and-comments/) to the original issue to help the…
-
**Description**
A user should not need to be aware of which "type" or `GeneralName` the subject is set in. Removing Type would simplify how a certificate identity is represented to be comprised…
-
@tnytown found some compatibility issues with root-signing-staging during https://github.com/sigstore/sigstore-rs/pull/354:
1. keyids were accidentally non-compliant: this concerns root-signing-stagi…