I'm interested in perhaps running my own sigstore deployment at work for commit signing. Eventually, we'd like to use it for artifact signing and other signing and attestation use-cases.
However, in the interest of a "quick start", I'd like to use gitsign with just fulcio for issuance. It'd get us off the ground quickly while we learn how to deploy and operationalize rekor.
Does gitsign have support for running entirely without rekor? Relatedly, does gitsign still require an active fulcio instance for offline verification (so it can assert that fulcio actually issued the certificate and is recorded in the ctlog)?
Not a bug, but perhaps a feature request?
I'm interested in perhaps running my own sigstore deployment at work for commit signing. Eventually, we'd like to use it for artifact signing and other signing and attestation use-cases.
However, in the interest of a "quick start", I'd like to use gitsign with just fulcio for issuance. It'd get us off the ground quickly while we learn how to deploy and operationalize rekor.
Does gitsign have support for running entirely without rekor? Relatedly, does gitsign still require an active fulcio instance for offline verification (so it can assert that fulcio actually issued the certificate and is recorded in the ctlog)?