-
**Description**
Trying to deploy Rekor and Fulcio using gcr images.
image: gcr.io/projectsigstore/rekor-server -- unknown flag --redis_server.password
etc, etc, - setting things up with tho…
-
**Description**
@vaikas mentioned to me that cosign commands occasionally fail due to an unexpected error either from the network or Sigstore backends. These errors typically will come at the very…
-
**Description**
There is now a public staging instance of fulcio and rekor
- https://fulcio.sigstage.dev
- https://rekor.sigstage.dev
To use cosign in keyless mode requires
- deleting the…
-
Currently, the [FulcioClient](https://github.com/sigstore/sigstore-java/blob/main/sigstore-java/src/main/java/dev/sigstore/fulcio/client/FulcioClient.java) communicates via gRPC. While this is accepta…
-
I'm interested in package signing support in crates.io + cargo using Sigstore. After looking through some of the earlier discussions from @lukehinds and others, it seems to me that the main obstacle i…
-
The API should support custom roots. For Fulcio and Rekor, we need
1. tuf root
2. a URL to update the root (if not already present in the tuf root data of (1))
@haydentherapper please keep me hon…
-
**Description**
It seems that the OIDC client secret is not taken into account when Cosign is using device flow.
```bash
./cosign-linux-amd64 -d sign docker.redacted.com/testimage:latest \
--oid…
-
**Description**
We've been running into rate-limits for the public sigstore instance:
```
unable to sign image: getting signer: getting key from Fulcio: retrieving cert: POST https://fulcio.sig…
-
**Description**
Some use cases prefer using hardware-backed key storage to (hopefully) ephemeral software keys. Some hardware devices support attestation to prove the key material is generated on t…
-
`COSIGN_EXPERIMENTAL` was introduced AFAICT for two reasons:
1. The Sigstore *idea*, *interface*, and *implementation* were still experimental
2. The Sigstore *infrastructure* wasn't reliable/didn…