Closed wilsonehusin closed 2 years ago
I just realized that it is actually not racy, but implicitly uses the embedded version of cosign to validate signatures instead of using the version specified in bindl.yaml
.
🤔 I think this is an inevitable chicken-egg problem, at least at the moment. Closing it for now until ideas / needs arise.
When necessary,
bindl sync
will shell-out tobindl get --bootstrap cosign
. This is done through shell instead of programmatically to avoid recursive import betweenprogram/
andcommand/
.However, this is a racy implementation where the bootstrapped version might be used instead of a specified version of cosign in
bindl.yaml
.