-
Today our download pages allude to being able to verify artifacts, either through Sigstore (recommended) or GPG, however these instructions aren't as clearly documented as they could be and in theory …
-
**Description**
A user should not need to be aware of which "type" or `GeneralName` the subject is set in. Removing Type would simplify how a certificate identity is represented to be comprised…
-
[Sigstore](https://sigstore.dev/what_is_sigstore/) is an initiative by the Linux Foundation for software supply chain security. The goal is to be able to verify the origin of binaries as well as to en…
-
This is a meta issue listing all features we eventually want to support:
- [ ] https://github.com/sigstore/model-transparency/issues/203
- [ ] https://github.com/sigstore/model-transparency/issues/2…
-
**Description**
Tracking issue for the using the new Sigstore TUF client, https://github.com/sigstore/sigstore-go/blob/main/pkg/tuf/client.go. This client adds support for using the new trusted…
-
Now that we have basic OCI image building and publishing, it's time to integrate signing.
-
As part of #1247 I'd like to define a GH secret.
* Secret TUF_ON_CI_TOKEN: this should be a sigstore-bot token with following permissions for sigstore/root-signing:
* `Actions: write` to dispa…
-
GitHub now has full support for Artifact Attestations: https://github.blog/changelog/2024-06-25-artifact-attestations-is-generally-available/
The feature supersedes our usage of SigStore (#156), si…
-
This is something that came up during staging testing: sigstore-rs is not compatible with root-signing-staging, and will not be compatible with root-signing if we proceed with #929 without changes.
…
-
Looking at https://github.com/ossf/scorecard-webapp/tree/f55dfbf0ddc1620a716f571636569e01e2e222c5/app/server, it appears that the Sigstore trust root metadata, `rekor.pub` and `fulcio_v1.crt` and the …