Hayden B

Thanks for filing! This would be a useful feature for those who want to run private instances.

My guess is that `blob_sig` cannot be base64 encoded. Try `cat blob_sig | base64 -d > decoded_blob_sig` and see if you can upload that with the same key and artifact....

See https://github.com/sigstore/cosign/blob/main/pkg/cosign/verify.go#L1311-L1329 - We marshal the body, integrated time, log ID and log index, and then use a json canonicalization library before verifying it. That last step might be what's...

A feature to output the canonicalized bundle seems reasonable.

Left a comment on the issue on protobuf-specs. I'm not sure about the verification failure. That could be due to a change in requirements for the type? Early on there...

Rekor and CT are two different implementations of transparency logs. CT is specifically for certificates, Rekor records signatures/signing events. Are you using https://github.com/sigstore/rekor/blob/main/docker-compose.yml? Also check out https://github.com/sigstore/helm-charts.

Investigating further, it appears a lot of [known logs](https://github.com/transparency-dev/witness/blob/main/omniwitness/logs.yaml) don't follow this. This might be considered a breaking change from the perspective of the witness. Looking into it...

Given this will be a breaking change to witnesses and there is nothing mandating a matched origin and signature identifier, we won't move forward with making any changes for the...

cc @bdehamer @loosebazooka @woodruffw (also @codysoyland, but this'll be handled for Go with the fix in Rekor, since sigstore-go uses Rekor's verifier) Sorry for the long wall of text! The...

Sorry about that rollout, we had assumed the other content in the signed note was considered optional. The good news with this change is that there would be no changes...