ianlewis
commented
2 months ago I think it's fine to have this issue. We intended for private sigstore (including TUF/Fulcio) to be in scope for #34 but it's not explicitly written there.
Open lcarva opened 2 months ago
ianlewis
commented
2 months ago I think it's fine to have this issue. We intended for private sigstore (including TUF/Fulcio) to be in scope for #34 but it's not explicitly written there.
Is your feature request related to a problem? Please describe. I would like to use generator_container_slsa3 to generate SLSA Provenance for my container image but instead of using the public deployment of Sigstore, I would like to use my Sigstore deployment.
Describe the solution you'd like Provide the ability to specify an alternative TUF mirror/root, Rekor, and Fulcio.
Describe alternatives you've considered The alternative is to fork this repo and implement the changes there which works but does not benefit the community in general.
Additional context This feature request has some overlap with https://github.com/slsa-framework/slsa-github-generator/issues/34. I'm happy to use that instead if the differences are not clear to others.