-
[Sigstore](https://www.sigstore.dev) exists to verify whether a deployed dependency was signed by the author. Detecting whether a detected dependency was signed by Sigstore would allow downstream tool…
-
We already have message types defined that describe the inputs to the verification process (`Bundle`, `TrustedRoot`, `ArtifactVerificationOptions`) so it seems reasonable to also define a standardized…
-
Package managers (e.g., npm) need to implement sigstore client library to enable provenance for their users. If we could turn the GHA in this repo into a deamon (that users could can add as a step), i…
-
**Description**
I believe `cosign` uses this logic to extract the "subject" for proof of possession:
https://github.com/sigstore/sigstore/blob/9a7027012170c0070b8842b1bda6f0050e420097/pkg/oauthflo…
-
**Description**
The current `openapi.yaml` is written as OpenAPI 2.0 (a/k/a Swagger 2.0). There's a newer version (OpenAPI 3.0) that unifies the syntax a bit.
Context: This is part of a yak stac…
-
Including:
- Use cases
- Payload (as described [here](https://github.com/sigstore/cosign/blob/main/specs/SIGNATURE_SPEC.md))
- How to correlate SET with UUID of entry
Basically a post walking…
-
While cutting the February patch releases, the image promoter got rate limited by Fulcio, the sigstore certificate authority (see [this long thread in slack](https://kubernetes.slack.com/archives/CJH2…
-
**Description**
When authenticating with GitHub, gitsign appears to retrieve a users private email address and insert that address into the commit being signed. It does this, even if a user has con…
-
Hello, does tekton chains support rotation of the keys used to sign artifacts, pipelineRuns, taskRuns etc?
The scenario we have is where we are using chains with hashicorp vault and ideally we'd li…
-
Sigstore infrastructure might meet the needs of the binary ledger here, did you consider using it?