Hayden B

Yep, if you take a look at the CodeFresh PR, that’s what you’ll need to do. Add the code and map as many token claims to extensions.

Dup of https://github.com/slsa-framework/slsa-github-generator/issues/3350

Checkpoint format comes from https://github.com/sigstore/rekor/blob/main/pkg/util/checkpoint.go. It's Go's SumbDB note format (https://pkg.go.dev/golang.org/x/mod/sumdb/note) with a timestamp in OtherContent.

cc @woodruffw @jleightcap - I think y'all have begun looking at supporting inclusion proof?

Rekor signs its checkpoints and SignedEntryTimestamps, and verifies signed artifacts. Also note that the merkle tree uses sha256 for hashing its leaves, but this does not need to be updated...

No, we shouldn't need a new hashedrekord version to support an additional hash algorithm. sha256 is encoded in the request, like https://github.com/sigstore/cosign/blob/1ebb6d95ec93a5873614e756c2c62ce46af7167b/pkg/cosign/tlog.go#L241C55-L241C55. We might ignore it in hashedrekord now, but...

It's most straightforward to add this where you suggested. If you pass this down to the verifier, you'll also need context if this is an upload vs fetch (for example,...

@dmitris Is this ready for review? Or were you looking for more initial feedback for moving it out from draft?

cc'ing correct @asraa +1 to integrating with the conformance suite - https://github.com/sigstore/sigstore-conformance#usage. Right now, there aren't many tests, but as we add more tests, this makes it easy to detect...

@vembacher I would like to see inclusion proof verification be a requirement of clients. The bundle format defines this as optional currently, but I've proposed making this a requirement in...