-
We should add support for keyless cosign signing in the Signed-Release check.
cc @asraa
-
See https://github.com/sigstore/cosign/issues/2557 and https://github.com/sigstore/rekor/issues/845
-
Follow-up discussion about the idea of using a Docker image as the builder/releaser, as we have in project Oak.
In [project Oak](https://github.com/project-oak/oak), and as part of our [transparent…
-
Context: Overall we would like to offer a unified CLI / API (as part of https://github.com/google/model-transparency) to sign and verify AI artifacts.
We've received interest to support custom PKIs…
-
**Description**
Cosign verify displays an example where the user can pass an image with certificate and certchain. But that example does not work on v2.2.4 and `main`. It detects keyless verifica…
-
It's happening for a while, example https://github.com/k8gb-io/k8gb/actions/runs/9150847377
-
I'm running CentOS.
I just cloned the repo and ran:
```
mconfig --with-suid
cd builddir
make
```
And got this, ending with `Error 1`:
```
$ make
GEN GO DEP /home/msimenc/softwa…
-
The version of cosign in the `docker-publish.yml` workflow no longer works.
It causes a similar error to the one noted in https://github.com/sigstore/cosign/issues/3614. For example, for one of my …
-
Once #478 is merged, `sigstore verify` will have an `--offline` flag that disables online transparency log lookups.
This flag should *also* disable TUF refreshes, since those require network access…
-
I'm trying to get gitsign working for the first time and keep running into the following error:
```
error getting signer: POST https://fulcio.sigstore.dev/api/v1/signingCert returned 400 Bad Reque…