Hayden B
Hayden B
We don't have a preferred way currently to specify who can sign for what. TUF seems to be a good candidate for this - [PEP480](https://peps.python.org/pep-0480/) (WIP) for example discusses this,...
No longer needed, as we use the DSSE type now.
I think it might be useful to have a design doc before coding for this feature, so we can discuss formatting and what is to be reported by inspect
Hey all, I'm one of the maintainers on Cosign and [sigstore-go](https://github.com/sigstore/sigstore-go). Agreed that Cosign is massive in size due to pulling in many cloud dependencies, and is more commonly used...
Hey @stevehipwell @janosdebugs, sorry for the delayed response. `sigstore-go` is not yet a mature library. The verification API is fairly stable and well-tested as it's been integrated in a number...
Great discussions about this, and thanks Kris for proposing this spec update! I want to keep Sigstore and SLSA independent, but treat this proposal as collaboration between the two. What...
> The Fulcio extensions aren't exactly well tested What do you mean by this? These extensions are simply values from CI/CD identity tokens. We have seen them used already to...
I'd love to have a mapping between CLI flag, env var name, and profile configuration. We've got a mapping between the first two in Cosign currently, there might be a...
What version of rpm is the package? We use https://pkg.go.dev/github.com/cavaliercoder/go-rpm, which is a bit dated unfortunately.
Yes, we're planning to take a look at this shortly.