Closed ramonpetgrave64 closed 5 months ago
@laurentsimon please take a look
I've updated the PR to dynamically use the keyid specified in the sigstore bundle, rather than the hardcoded keyid.
@ramonpetgrave64 feel free to merge after addressing the few nits. Please create a tracking issue for the TUF verification discussed in https://github.com/slsa-framework/slsa-verifier/pull/731#discussion_r1560402195. Thanks for the PR!
Addresses: https://github.com/slsa-framework/slsa-verifier/issues/547
Currently slsa-verifier has npmjs' attestation key hardcoded. But sigstore now stores the same key within their own TUF root.
This PR