Hayden B
Hayden B
Hey! Just wanted to check if you know when this can be merged.
Could this instead be a general purpose batch retrieval API, rather than specifically for checkpointing? I had started implementation on this awhile ago but didn't get a chance to finish....
https://github.com/sigstore/fulcio/pull/1744 should fix.
A related search engine issue: Google appears to be parsing `time_verified` on the [VSA spec](https://slsa.dev/spec/v0.1/verification_summary) and setting the article date to 1985:
Thanks for the context! I'm going to try to find someone at RedHat who works on RPM, though I suspect some pushback to format changes since it's an old file...
We have the same concern with RPM packages. Even if we can convince RPM to move off V3, we'll need to handle verification of existing packages.
cc @loosebazooka
I could see a need for both - a user may gather their own root material out of band, at which point they should pass that material via a trusted...
> I just don't think slsa-verifier should be involved in the lower-level details of the TUF client. Could you say by what you mean on lower-level details? Do you mean...
I think there may be some conflation of "roots". https://pkg.go.dev/github.com/sigstore/[email protected]/pkg/tuf#Options.WithRoot refers to the TUF root, as in the [root of trust](https://github.com/sigstore/root-signing/blob/main/repository/repository/root.json) for the TUF metadata. The ["trusted root"](https://pkg.go.dev/github.com/sigstore/[email protected]/pkg/root#NewTrustedRootProtobuf) is the...