-
I've been keeping an eye on intermittent failures in various CI workflows that run sigstore tools (root-signing, root-signing-staging, sigstore-probers)... and my gut feeling is that sigstore-python f…
-
`/api/v1/log/proof` defaults to using the current shard when requesting consistency proofs. This will be an issue once we shard Rekor in production. As the shard changes, the consistency proof can't b…
-
**Description**
We are hosting our own Sigstore and have deployed both Rekor and Fulcio with RSA keys hosted in AWS. We are not signing container images but exclusively blobs through e.g.
```
c…
-
**Description**
There are cases where using the public Sigstore deployment is not an option, e.g. privacy concerns. Some organizations may opt to provide their own Sigstore deployment. Verifiers mu…
-
## Summary
cosign's `sign*` commands currently output a signature's transparency log index number (as of v2.2.4). As an enhancement, it would be helpful if cosign also output the rekor entry ID.
…
-
SPIRE depends on the `github.com/sigstore/rekor` Go module for using Rekor APIs. This causes some maintenance-related challenges with dependency management because that project is designed to provide …
-
release page:https://github.com/tektoncd/operator/releases
```
root@ubuntu:~# cat test.sh
R…
-
### Description
The [example](https://kyverno.io/docs/writing-policies/verify-images/sigstore/#ignoring-tlogs-and-sct-verification) on the website for disabling tlog verification check is out of date…
-
Architect a "Verified Reproducible Build Attestation".
Some useful links:
- https://www.cisa.gov/sites/default/files/2024-03/CISA_RSAA_User_Guide_18_March_2024.pdf
- https://cyclonedx.org/capabil…
-
In integrating Tessera into the Rekor log personality, we would like to have the Rekor server be able to return an inclusion proof to a client. In Tessera's model, this effectively makes Rekor its own…