-
Github recently launched https://github.blog/changelog/2024-06-25-artifact-attestations-is-generally-available/, which builds on sigstores https://github.com/sigstore/fulcio, https://github.com/sigsto…
-
**Question**
* Given the introduction of new CiProvider in https://github.com/sigstore/fulcio/pull/1729
And the fact that all CI providers have been changed to `type: ci-provider` in https://gi…
-
Github Artifact Attestation https://github.blog/changelog/2024-06-25-artifact-attestations-is-generally-available/ only uses public good rekor and fulcio for public repositories.
For private reposito…
-
**Description**
We've had several users be surprised by the behavior of both rekor & fulcio (as deployed by the helm charts) where the default signer is the `memory` option - this is nice for testi…
-
There are some remaining issues on the Fulcio TAP:
* link to Sigstore documentation (as it is created) for root signing, signing, bundles, and verification
-
This is currently not possible but will land once the Fulcio claims have been standardized
-
**Description**
The Fulcio V1 API will be turned down in the coming months.
https://github.com/sigstore/sigstore-rs/blob/main/src/fulcio/mod.rs#L20 will need to be updated to https://github.…
-
Today we request a new Fulcio cert for each thing we sign or attest, which can become a lot.
Instead we should cache a Fulcio cert for some duration (5 minutes) and reuse it for all signings done d…
-
**Description**
SLSA GitHub generators use Sigstore signing to sign releases. Trusted builders use their GH provided OIDC identity to sign. The source repository is contained inside OID extensions,…
-
Could we version Fulcio certificates to make it easier to deal with old certificates that contain different cert extensions?
## Context
Fulcio Certificates went through a significant change rece…