-
# Background
We have an external root CA. It has a root certificate. Let's say the root CA signs an intermediate cert. Then that intermediate cert is used to sign a leaf cert. This leaf cert is s…
-
### Problem Statement
Sigstore's documentation is primarily focused on developer signing, which is misaligned with Sigstore's MVSR and adoption strategy, automated signing through CI providers/trus…
-
**Description**
Hi folks, as a followup to the discussion that happened in https://github.com/sigstore/scaffolding/pull/1159, I wanted to make the following proposal to improve the TUF server. I wo…
-
**Description**
I have this issue periodically on the GHA runner. It hard to 100% reproduce, but sometime my cosign failed to sign image with following error:
```
cosign sign --yes ghcr.io/***/bt…
-
Fulcio has a publicly export API now for all of the x509 cert extensions. We should support these as constraints for functionaries and policy signatories.
https://github.com/sigstore/fulcio/blob/ma…
-
### Workflow run failed for root-signing GCS repository tests.
Failed run: https://github.com/sigstore/root-signing-staging/actions/runs/8820716726
* Maintainers can re-run the failing job manually
*…
-
The fun thing about packaging systems with central package directories is the central package directories have this annoying tendency to be compromised. There have been a few such notable compromises …
-
Codefresh has recently added support for OIDC in pipelines:
https://codefresh.io/docs/docs/integrations/oidc-pipelines
For integration with Sigstore Codefresh OIDC provider needs to be added to sup…
-
**Is your feature request related to a problem? Please describe.**
This will allow for people to configure a rekor URL for upload, which will mean we can configure verifier e2e tests to use rekor sta…
asraa updated
4 months ago
-
Background: https://github.com/pypa/packaging-problems/issues/25
Create a generic wheel-building service to make releases faster and more robust.