-
See https://github.com/sigstore/sigstore-conformance/pull/101.
-
Currently we have statically included the Rekor and Fulcio public keys into the library. These keys should be updatable via TUF.
-
Sigstore is a project that is part of OpenSSF. This landscape would represent Sigstore's ecosystem (and eventually be embedded in the OpenSSF main landscape). Goals for the landscape:
- Highlight th…
-
There are a number of places where users must ask "does this signature come from X?" where X is an "identity." This is actually non-trivial to get right: you can't just ask for `user@example.com` beca…
-
After reading your `README.md`, the elephant missing is: how do I actually sign my releases using a fulcio-issued code signing certificate for Windows and MacOS?
Context: I maintain an open-source …
-
@laurentsimon The Go builder outputs json provenance as base64 encoded. The generic provenance-only builder just outputs json without encoding. I'd like to be consistent, but base64 encoding didn't se…
-
Related to [Sigstore clients should require a provided identity](https://docs.google.com/document/d/1o8_bXIygufgiohJGlmBzqF4_BnXCTfgh4ILgJFJxYRs/edit?resourcekey=0-YEar3v67uoT31kj83dCVvA).
Right no…
-
### Describe what should be investigated or refactored
Zarf is looking to refactor / redesign Zarf actions to be simpler and easier to maintain - we need to document our actions must-haves to ensur…
-
Hey @jedisct1,
I'm toying around using `wasmsign` and thought it could be nice if `Ed25519ph` were supported (officially). I'm trying to use it with a system in which there are some cases for which…
-
According to SLSA v1.0, Build L3: Hardened builds
> Provides strong confidence that the package was built from the official source and **build process**.
Based on this statement, my question is wh…