haydentherapper
commented
8 months ago Here are the Sigstore OIDs we should support monitoring for: https://github.com/sigstore/fulcio/blob/main/docs/oid-info.md
Closed asraa closed 1 month ago
haydentherapper
commented
8 months ago Here are the Sigstore OIDs we should support monitoring for: https://github.com/sigstore/fulcio/blob/main/docs/oid-info.md
linus-sun
commented
1 month ago picking this up!
haydentherapper
commented
1 month ago This is now completed!
Description
SLSA GitHub generators use Sigstore signing to sign releases. Trusted builders use their GH provided OIDC identity to sign. The source repository is contained inside OID extensions, and later with enhancements, the caller workflow job ref will be as well. If rekor-monitor supports OID extension monitoring, users can monitor their package builds.