-
We will need to retrieve the root policy from the OCI registry namespace
`ghcr.io/lukehinds/widgets/root-policy`
The root policy will require:
* Validate x509 entries chain to the fulcio root…
-
it may be a useful component for others to create provenance with the same format across GH builders.
See https://github.com/sigstore/fulcio/issues/754#issuecomment-1227505585
-
Add https://issuer.hello.coop as an OIDC Identity Provider for sigstore
For details on Hellō see https://hello.coop/ & https://hello.dev/
-
**Description**
[`github.com/sigstore/cosign/cmd/cosign/cli/fulcio/fulcioroots`](https://pkg.go.dev/github.com/sigstore/cosign/cmd/cosign/cli/fulcio/fulcioroots) contains methods to get `x509.CertP…
-
**Overview**
This is a tracking issue for supporting verification for expired/rotated targets. @asraa and I will be working on this.
Currently, cosign assumes the latest TUF metadata can be used…
-
On the diagram on the "[How it works](https://www.sigstore.dev/how-it-works)" page, it looks to me that an arrow is missing.
Shouldn't there be an arrow between "developers" and "rekor transparency…
-
**Description**
Gitpod is a remote workspace solution that has the ability (still in BETA) to generate JWT tokens to authenticate users within a workspace against external services like Sigstore, V…
-
We need to make `InputSetContext` 's contain some information about the
identity of the entity executing that context.
This will assist with resource allocation, isolation from a security perspect…
-
Discussion in the [RubyGems RFC](https://github.com/rubygems/rfcs/pull/37) indicated interest in a mechanism to verify emails *without* going through an OIDC provider.
This should be doable using a…
-
Trillian is an important part of the Sigstore project. It is an essential component on which Fulcio and CTLog depends. The Sigstore documentation is missing information on configuring Trillian to make…