Aditya Sirish
Aditya Sirish
Thanks, @lukpueh. I'd like to add that I think we should get rid of any mention of the private portion of the key from the spec to avoid any confusion....
Right, but that's a convenience in implementing signing, right? We don't technically need to define it in our metadata formats? I may be way off here, though.
Does rekor support link metadata, or just ITE-6 attestations? I'm personally unaware... As for the version mismatch, the in-toto website still points to the specification which is still v0.9. I'm...
No, we don't. Did rekor update to only supporting DSSE?
Hi @omerlh, thanks for opening the issue. Currently, when the command that is run differs from the expected command in the layout, it merely shows a warning--this is not a...
``` saky ~/.../in-toto-demo/final_product > in-toto-verify -l root.layout -k alice.pub (in-toto-verify) RuleVerificationError: 'DISALLOW *' matched the following artifacts: ['demo-project/foo.py'] Full trace for 'expected_materials' of item 'package': Available materials (used for queue):...
It's part of the spec (emphasis mine): > Finally, the "expected_command" field contains a string, COMMAND, describing the suggested command to run. It is important to mention that, in a...
I see a reference to it here:https://in-toto.readthedocs.io/en/latest/layout-creation-example.html?highlight=expected%20command#layout-creation-example But I agree, it needs to be clearer, and part of the docs for verification workflow. There, it says "soft-verify" which isn't very...
If I'm not mistaken, in that instance you'd ideally have in-toto metadata capturing the repository state that you're cloning and/or other solutions to secure the repository itself. cc-ing @SantiagoTorres to...
Thanks Marina! Here's how the signing-spec currently defines key IDs. https://github.com/secure-systems-lab/signing-spec/blob/master/protocol.md#signature-definition > KEYID: Optional, unauthenticated hint indicating what key and algorithm was used to sign the message. As with Sign(),...