Hayden B
Hayden B
Ah ha, I think I figured out what's happening: * Experimental is enabled, so the Fulcio roots and intermediates are fetched [here](https://github.com/sigstore/cosign/blob/fdceee4825dc5d56b130f3f431aab93137359e79/cmd/cosign/cli/verify/verify.go#L115-L131) * This calls [initRoots](https://github.com/sigstore/cosign/blob/main/internal/pkg/cosign/fulcio/fulcioroots/fulcioroots.go#L60) once * Pools are...
re: `--certificate-root`, I would like to avoid more flags that make it easy to provide your own root. We should be encouraging TUF usage. I've always said that `SIGSTORE_ROOT_FILE` is...
Looks like this was an accidental regression, at one point we were lazily loading the intermediate pool - https://github.com/sigstore/cosign/pull/1804/files I think this change occurred when we moved over code from...
Can you try `SIGSTORE_ROOT_FILE=root.cert cosign verify $IMAGE:$TAG`? This should pick up the certificate and chain from the annotations on the image automatically.
Ah yes, that would require checking the transparency log by default. We should be supporting this use case of automatically fetching the certificate and chain from the annotations. We are...
I'm happy to have this moved out of Cosign and into Fulcio. A `client` package would be helpful. I'd prefer it live in Fulcio, rather than sigstore/sigstore. I'm not certain...
One concern with this is it'd be best if the maintainers of the respective repositories had ownership of this logic and visibility into changes to this logic. Those who maintain...
Discussing only the Fulcio aspect, I see no reason why we wouldn't be willing to add an IDP into either Dex or directly into Fulcio's IDPs, as long as the...
> You complete that flow; OIDCProxy.com then completes the IdP flow for OIDCProxy.com identity == H("GitHub" || your GItHub OIDC ID || salt) How do you write verification policy for...