-
**Description**
_Copied from https://sigstore.slack.com/archives/C049ALX6Q83/p1709072587850229_
tl;dr - Sigstore TUF metadata has evolved, but Cosign and Scaffolding are lagging behind. We n…
-
**Description**
Different parts of code use different libraries for JSON canonicalization.
**Examples:**
https://github.com/sigstore/sigstore-rs/blob/d5ba303182318495a081d1c4ad50d5c27be015cc/…
-
**Is your feature request related to a problem? Please describe.**
I would like to use [generator_container_slsa3](https://github.com/slsa-framework/slsa-github-generator/blob/main/.github/workflows/…
-
I tried to install tuf-on-ci-sign with uv into a uv created venv and ran into an error:
> ~ % uv pip install tuf-on-ci-sign
> × No solution found when resolving dependencies:
> ╰─▶ Because th…
-
**Description**
https://github.com/sigstore/sigstore-go/pull/47 and https://github.com/sigstore/sigstore-go/pull/45 introduce skipping log and TSA signatures respectively that the trust bundle …
-
GitHub recently released some fancy new “artifact attestation” actions that integrate with sigstore: https://github.blog/2024-05-02-introducing-artifact-attestations-now-in-public-beta/
If I unders…
-
**Description**
I'm attempting to leverage `sigstore-python` library for an enterprise signing/verification tool. Working on a proof of concept resulted in this small example:
```python
from sigs…
-
An off-line mode would enable the use of `slsa-verifier` in air-gapped environments, which are isolated from any network connection for security reasons.
Cosign [already support this](https://githu…
pjbgf updated
1 month ago
-
As seen in https://tuf-repo-cdn.sigstore.dev/targets.json the targets.json can contain a `custom` field for holding additional data about the target.
```json
{
"signed":{
"_type":"targ…
-
### Issue Description
A signed image that got successfully pushed to Artifactory, using https://github.com/sigstore/cosign#registry-support, cannot be pulled due to an error:
```
Error: Source i…