Open ashearin opened 2 months ago
Thanks for filing this @ashearin!
Yes, I think exposing this would be fine -- IMO we should expose it only via the API for now and then think about an appropriate CLI option (I've been trying to minimize the number of CLI flags used to configure Sigstore's underlying instances, so we could maybe get this added to the trust configuration or similar instead).
If you send a PR for this, I'd be happy to review and merge it 🙁. Otherwise I'll attempt this in the next few weeks (I'm traveling with limited computer access until early June).
With regards to CLI tool options I agree that a flag should not be added for something like this... However, this fits SigningConfig really well: if it was added there, sigstore-python could support that through the already existing --trust-config flag
Description
I'm attempting to leverage
sigstore-python
library for an enterprise signing/verification tool. Working on a proof of concept resulted in this small example:Went through the process of setting up an app with our oauth manager to facilitate authentication, however the redirect URI cannot use wildcards with localhost ports. This security configuration choice leaves me stuck, since
sigstore-python
uses ephemeral ports.Could we add add the ability to specify this redirect URI? Cosign already has a flag for this