-
When a contributor adds a significant feature, an architecture diagram should accompany the feature. This is helpful for reviewers to understand more about the feature, and for other contributors to u…
-
From #910:
> Given the root is present in the trusted root file, I would prefer we still validate it. The intermediate being shipped in the trust root is more of an optimization, letting us avoid d…
-
This is not a fully defined feature request but I wanted to write this down before holidays...
I was testing if a sigstore client (sigstore-python) _really_ can choose the "sigstore instance" purel…
-
The idea is to add something like:
```
- name: Sign the published Docker image
if: ${{ github.event_name != 'pull_request' }}
# This step uses the identity token to provision an…
-
EDIT: this issue was originally reported with the name: *MySql container has (fatal) incorrect Schema Error on startup: [ERROR] Native table 'performance_schema' ... has the wrong structure*. I've sin…
-
**Description**
Normally `e2e` test is triggered when pull request event is triggered. But for the testing purpose an developers needs to run e2e locally to see changes. On running e2e locally it thr…
-
For a given trusted root (especially with sigstore public good), the fulio/ca instance should optionally be allowed to specify a(or many?) sigstore specific trusted oidc provider(s).
Why?
This all…
-
### aqua info
aqua v2.25.0
### Overview
aqua uses Cosign v1.
https://aquaproj.github.io/docs/reference/security/cosign-slsa/#verify-packages-with-cosign
Recently, Sigstore has published…
-
Don't know why, but if I try to pull the latest container image tagged `master`, then I got an image with `sha256:6d484a6467ee134caba0781fc64a9938a02481c035f11561644357477f7fa62a`. While the [latest o…
-
### Bug description
when running `gp idp token` then the JWT token that's generated has an email pulled, almost as random, from the users git auth provided. If a user adds an additional provider t…