-
**Description**
Replay of a proof of possession (PoP) to associate a key with a different identity is currently possible (albeit difficult, since you must intercept the PoP somehow).
A propo…
-
### Describe the bug
Example failure at the bottom:
https://github.com/microsoft/ebpf-for-windows/actions/runs/6383992434/job/17325721329
This looks like some private endpoint used for signing …
-
This PR fixes a bug in witness that references fulcio parameters out of order. The examples need to be fixed after this is merged.
https://github.com/testifysec/witness/pull/270#pullrequestreview-…
-
Does chain-bench recognize code signing tools like sigstore (cosign, fulcio, rekor)?
-
I need to have pushed image digest so it can be signed with [cosign](https://github.com/sigstore/cosign).
Example action step:
```
- name: Sign the published Docker image
if: ${{ git…
-
We need to add two values as SAN when integrating with Gitlab:
1) ci_config_ref_uri
2) user_email
This is necessary so that the policy controller can create flexible ClusterImagePolicy. Mono r…
-
**Description**
I am not sure if this is a bug or a documentation problem. I'm leaving this here as I imagine that anyone deploying these days probably has the same issue.
I deployed scaffold …
-
Fulcio is in a good position to record the public keys of the OIDC identity providers in a (separate?) transparency log. This would be nice to have for historical reasons.
-
**Description**
See also https://github.blog/changelog/2023-01-10-github-actions-openid-connect-token-now-supports-more-claims-for-configuring-granular-cloud-access/
Recently, GitHub announced t…
-
I built my own container image based off of @cgwalters's Fedora Silverblue image from [this](https://github.com/cgwalters/sync-fedora-ostree-containers) repo, pushed it onto a container registry, and …