-
**Description**
Right now, it can be quite difficult to map the e2e test cases we have along with the code base, given that they're all in a small number of fairly large golang files. I think we co…
-
**Description**
Add an additional timestmaping type to Rekor.
Roughtime is a modern timestamping standard https://blog.cloudflare.com/roughtime/
In addition to supporting RFC 3161 for compat…
asraa updated
2 years ago
-
#### What happened:
Cannot build release-sdk commands without pulling in MPL-licensed projects not in the CNCF allowlist.
`go mod why github.com/hashicorp/go-retryablehttp` shows this path to gi…
-
**Description**
There is now a public staging instance of fulcio and rekor
- https://fulcio.sigstage.dev
- https://rekor.sigstage.dev
To use cosign in keyless mode requires
- deleting the…
-
Currently, `cosign import-key-pair` only has support for [RSA and ECDSA keys in PEM format](https://docs.sigstore.dev/cosign/import-keypair/) and does not offer support for importing GPG keys. The mot…
-
**Question**
Since the rpm package format is supported in rekor as pluggable types, does anyone knows what is the correct way to upload a signed package record to rekor server? I found there is a f…
-
**Description**
We've created a Verifiers API in the Entries interface to abstract extracting "verifiers" - eg certificates, public keys, pgp keys, etc - from a given entry. This would simplify…
-
The current API supports only intoto statement, and we'd like support for arbitrary DSSE blobs.
We discussed this in the past but the original DSSE issue has been closed, so creating this issue for…
-
**Description**
Right now, all containers use offline verification by default, and only perform online verification as a fallback mechanism. This is because offline Rekor bundles are stored along i…
-
On the diagram on the "[How it works](https://www.sigstore.dev/how-it-works)" page, it looks to me that an arrow is missing.
Shouldn't there be an arrow between "developers" and "rekor transparency…