jku
commented
1 month ago Might have to rename some things -- the "verify-bundle" example is confusingly named. It's not really a sigstore-rs problem but just a result of sigstore overloading the word bundle.
- I'd like to add examples of verifying and signing the "sigstore bundle" as defined in https://github.com/sigstore/protobuf-specs/blob/main/protos/sigstore_bundle.proto
- Current
verify-bundleexample verifies a "cosign bundle" (I don't think there is a specification for this one but it's the format cosign produces withsign-blob --bundle=<FILENAME>)
The
sigstore::bundlemodule seems like the "modern high level sigstore API" out of all modules in the project but it is not mentioned in README and has no examples.I could try adding an example or two.