Hayden B
Hayden B
This sounds like a one-off GHA failure, is it still occurring?
Without logs, I'm unable to reproduce this.
This work is dependent on fulcio including these claims from the OIDC token in the certificate, which is ongoing in https://github.com/sigstore/fulcio/pull/945. We can then add flags for the new claims,...
This is unblocked now.
For completeness, the other kinds, from most to least used: * hashedrekord * intoto - Usage should be trending downwards as the `dsse` kind should be used. I know many...
We may want to add support for other verifiers, e.g not just public keys or certs but also pgp, in hashedrekord, so that rpm or helm charts that are signed...
Hey, thanks for the PR, and @akljph, sorry for not writing back via email. The concern with taking on additional platforms is that the maintainers don't have familiarity with the...
I wrote up a post then re-read what you wrote and realized I was saying the same thing, so now this is shorter 😄 > Should Fulcio code signing certificates...
> I believe you would need to put the hashes in a new section of the lockfile (perhaps HASHES) to maintain backwards compatibility. Or is the plan for hashes to...
Thanks for the link @deivid-rodriguez. Seems like the consensus is we want this feature to be added. I see some discussion around when to calculate hashes. My proposal avoids TOFU,...