sget is intended to fetch, verify and run a script in an OCI registry. With integration with cosign policy init and cosign policy sign, sget can go further and only run a script if the policy is satisfied -- e.g., 2+ of N listed maintainers have signed off.
It could be a nice UX improvement to have sget react to an unmet policy by waiting and polling until the policy is satisfied, instead of just failing as it does today. Something like a --wait flag with some default like --wait=1h, which would tell sget to poll for up to one hour for the policy to be met (or ^C to give up). --wait=0 would give you the current try-once-then-fail behavior.
This might only/mainly be useful in demo scenarios, since it's generally unlikely that a script you intend to run is so new that it hasn't been signed by enough maintainers, but I think it would add to the experience and be pretty straightforward to implement.
sgetis intended to fetch, verify and run a script in an OCI registry. With integration withcosign policy initandcosign policy sign,sgetcan go further and only run a script if the policy is satisfied -- e.g., 2+ of N listed maintainers have signed off.It could be a nice UX improvement to have
sgetreact to an unmet policy by waiting and polling until the policy is satisfied, instead of just failing as it does today. Something like a--waitflag with some default like--wait=1h, which would tellsgetto poll for up to one hour for the policy to be met (or^Cto give up).--wait=0would give you the current try-once-then-fail behavior.This might only/mainly be useful in demo scenarios, since it's generally unlikely that a script you intend to run is so new that it hasn't been signed by enough maintainers, but I think it would add to the experience and be pretty straightforward to implement.