Hayden B
Hayden B
> Are you proposing we should have the equivalent of the gRPC test suite, but pointed at a live instance? Yea, I'd like a subset of the suite tests pointed...
Note to self: We need to also test: * Values of the certificate * Successful entry in a transparency log, successful verification of the SCT, and verify inclusion proof
Not a blocker sounds good.
In addition to the key management suggestions Laurent gave, for enterprises that already manage their own signing infrastructure and don't want to rely on the community-hosted Sigstore infrastructure, they can...
FYI this was added in https://github.com/sigstore/cosign/pull/1626 for Cosign. We went with individual flags for each GitHub claim.
I think the UX isn't ideal, and that the long-term solution would be a policy file. For one-off verifications, I think flags are fine.
We are likely going to add this very soon in Cosign. Will tag y'all on the PR for discussion.
Once the bundle contains the sig and crt, should offline be the default?
Correct - The inclusion proof is an alternative to the bundle - https://github.com/sigstore/rekor/blob/main/openapi.yaml#L448-L457 In terms of security properties, they're roughly equivalent. The SET is a "promise" that needs to be...
FYI, deploying 2.35.1, we saw an error: ```failed to initialize server: server: Failed to open connector https://accounts.google.com: failed to open connector: failed to create connector https://accounts.google.com: could not create directory...