Closed susperius closed 2 months ago
If you want to see the entire work to convert manifests to in-toto, #267 (I split it into a series of PRs with various in-toto payloads to ease reviews - every PR should just look at the last commit).
Sorry, just saw this.
I was working on this area too, as said via chat. I'll push my PR shortly, once I clean it. But I think we can go directly to in-toto now, we don't need to replicate the manifest once more
ok, I'll leave it at that and stop trying to contribute for now.
That wasn't my intention :(
WIP do not merge
This is my first draft of adopting the new signing and manifest primitives for actual signature creation and serialization to disk. For now the idea is to use
BytesSigner
to sign the contents of the manifest payload and provide verification material. That can then be stored on disk together with the signed payload as a tuple of (SigstoreBundle, Manifest).@mihaimaruseac PLMK what you think about this approach