Hayden B

2 is always needed, 1 (the root metadata) does not specify where the TUF repo is hosted.

I'll leave comments on the PR for the interface! One quick comment is that "witness" needs a different name to avoid conflicting with the concept of witnessing from the tlog...

> Signing requires exactly 1 signer and at least 1 witness I don't think we should enforce the latter because in the case of private key signing in a private...

> I knew cosign supported Rekor, but I had to double check on the RFC3161 Timestamp, which it looks like it does support with --timestamp-server-url. Yes, Cosign supports RFC3161 timestamp...

> What about either of: > > 1. a new repo sigstore/sigstore-providers > > * avoids adding a bunch of new dependencies to sigstore/sigstore > * avoids making sigstore/sigstore even...

Yea, you'll need Cosign's GitHub provider if you're fetching the token as part of a Go binary, or if you're running in an action, getting the token following https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-cloud-providers#adding-permissions-settings and...

Good find. Talking out loud to convince myself there's no issue: * Let's imagine time exists from 0 to 100 * The TSA root and intermediate are valid from 10...

@codysoyland, I believe "CT log compares against issued SCTs" is still missing, so I've updated the title accordingly.

IIRC yea, Cosign does not check this as well, it only compares signatures - https://github.com/sigstore/cosign/blob/main/pkg/cosign/verify.go#L1164-L1188 Signatures are malleable, for example an ECDSA signature can be represented in two ways, so...

Thanks @woodruffw! I agree that I think part of this issue is figuring out what needs to be compared. I'll take a pass over this code again and see if...