-
## Feature Request
#### Is your feature request related to a problem? Please describe.
I'd like to be able to validate the artifacts downloaded by Scoop have been created by a trusted source v…
-
At the moment we use cosign to sign our payload. Cosign brings in a lot of dependencies.
We could replace it with something like this https://github.com/slsa-framework/slsa-github-generator/blob/c…
-
**Question**
When is the next release of cosign scheduled?
I ask as the current version, 2.4.0, has open CVEs:
```
$ docker run -it aquasec/trivy image gcr.io/projectsigstore/cosign:v2.4.0 --q…
-
When the issue of cosign keys being rerolled in Bazzite I did not notice it at all due to using this template for my own spin https://github.com/Venefilyn/VeneOS/
We should add a step about verifyi…
-
gitsign is a unique case, it's more like Cosign in that it's a tool built on top of an SDK to sign a specific format (commits, rather than containers/blobs like Cosign).
What do you t…
-
Cosign seems to be taking a long time to download tuf data and triangulate the image, we'll need to investigate this rather than just bump timeouts like we did in https://github.com/bpfman/bpfman/pull…
-
When trying to send a payment to the co-signing pool, I receive a time out error.
S-W14 updated
2 months ago
-
Cross posting my [cosign GitHub Issue](https://github.com/sigstore/cosign/issues/3890) here just in case its a Fulcio related-issue.
I have been looking into using keyless signing again. My proble…
-
Hey folks, it looks like there's an interoperability issue between Buildpacks and Cosign tooling. As an end user, I would like :
`pack sbom download` and `cosign download sbom` to work on any OCI art…
-
Thanks for this action and all the work on the whole infrastructure setup. 🙂
I'm just starting to attempt to generate SBOM and provenance attestations (this part using this action), sign my images …