-
Hi,
We've recently started using `cosign` at [Cilium](https://github.com/cilium/cilium) to [sign our images during the build process](https://github.com/cilium/cilium/blob/95a4d37394be9010f9fa56918…
-
Hey All,
This is a tracking bug for the overall sigstore public key ceremony, which we'll use to establish a TUF trust-root for all sigstore signing. The design for that kicked off here: https://gi…
-
**Describe the feature**
Cosign offers yet another even more experimental feature: keyless signatures via OIDC. Connaisseur should attempt to support this based on Fulcio code signing certificates.
…
-
Should projects promoted by sigstore be first subject to a reaching a certain criteria of quality (whatever that might be), so we can signal they are considered stable and reliable for users of sigst…
-
track list
- [x] https://github.com/zncdatadev/containers/pull/57
- [x] https://github.com/zncdatadev/containers/pull/58
## background
Currently, docker buildkit is used to build the image, …
-
I think the vast majority, if not all, dependabot PRs are merged once tests pass. This is manual, and while it's not that much of a burden, I think we can automate this. See https://docs.github.com/en…
-
#### What happened:
There was a problem when installing the latest version of the software
And got response:
```sh
$ go install sigs.k8s.io/promo-tools/v4/cmd/kpromo@v4.0.4
go: downloading sigs.k8s…
-
The [Sigstore conformance test suite](https://github.com/sigstore/sigstore-conformance) needs access to some OIDC token to run its tests (which run against Sigstore staging, and include OIDC-based sig…
-
### Description
It would be great if sigstore-go could not just verify, but also sign bundles.
There aren't many libraries that support signing bundles today (just sigstore-js?) This would also allo…
-
**Question**
We want to deploy Sigstore Timestamp authority in Airgap mode in which it will have no access to internet and external could providers. The query is that from available documentation Sig…