sigstore-rs
sigstore-rs copied to clipboard
sigstore
An experimental Rust crate for sigstore
**Description** Up to version 0.7.2, the [`SigstoreRepository::fetch`](https://docs.rs/sigstore/0.7.2/sigstore/tuf/struct.SigstoreRepository.html#method.fetch) method took care of synchronizing the contents of a local checkout of Sigstore's TUF repository. Now (v0.8.0 being latest stable release), the [`SigstoreTrustRoot::new`](https://docs.rs/sigstore/0.9.0/sigstore/trust/sigstore/struct.SigstoreTrustRoot.html#method.new)...
**Description** Currently (v0.8.0) the [`sigstore::trust::TrustRoot`] trait has two methods, both of them `async`. These methods have been made async because of internal implementation of [`sigstore::trust::sigstore::SigstoreTrustRoot`](https://docs.rs/sigstore/0.9.0/sigstore/trust/sigstore/struct.SigstoreTrustRoot.html). Internally `SigstoreTrustRoot` has to initialize...
@tnytown found some compatibility issues with root-signing-staging during https://github.com/sigstore/sigstore-rs/pull/354: 1. keyids were accidentally non-compliant: this concerns root-signing-staging only and will be fixed there, hopefully next week (sigstore-rs needs to initialize...
Follow-on for #326. We should determine if we need to support CT/AT signing key types besides secp256r1. I haven't observed any other key types in PGI TUF materials, but support...
> Multiple soundness issues | Details | | | ------------------- | ---------------------------------------------- | | Status | unsound | | Package | `lexical` | | Version | `6.1.1` | | URL...
![github-actions[bot] avatar](https://avatars.githubusercontent.com/in/15368?v=4 "github-actions[bot] avatar"){kind=avatar}
I'm not too confident with rust or this code base yet so advice is welcome: I can see there are many ways to implement something like the "signing identity" here...
`actions-rs` actions are unmaintained and archived, we should not be using them. Luckily we weren't really using anything special from them: using `rustup`(that is part of the GitHub image) and...
`cargo check --no-default-features` complains like this: ``` warning: method `verify_prehash` is never used --> src/crypto/verification_key.rs:334:19 | 124 | impl CosignVerificationKey { | -------------------------- method in this implementation ... 334 |...
All GitHub actions in the `actions-rs` org are archived and unmaintained. We should stop using them. * Uses of `actions-rs/cargo` look like they would be trivial to replace with just...
> Multiple soundness issues | Details | | | ------------------- | ---------------------------------------------- | | Status | unsound | | Package | `lexical-core` | | Version | `0.8.5` | | URL...