Hayden B

That’d also give us the ability to define a machine readable format with information about the bundle and signature, would be very useful for policy engines to consume to make...

I think we should have both - A simple-to-use secure verification with `verify`, and `inspect` for those who want to author their own policies. For simple use cases, like one-off...

Design doc: https://docs.google.com/document/d/1o8_bXIygufgiohJGlmBzqF4_BnXCTfgh4ILgJFJxYRs/edit?resourcekey=0-YEar3v67uoT31kj83dCVvA# (sigstore-dev@ for access) Related issues I'm going to leave open that will be closed once this is completed: https://github.com/sigstore/cosign/issues/1947, https://github.com/sigstore/cosign/issues/1964 Related but will be tackled independent from...

@kpk47 will be taking on this issue. Thanks @kpk47!

@asraa Any thoughts on this? Do you have the context on the set of information we initially chose to include in issued certs for GitHub? Some of this information seems...

I think it'd be difficult to build a verification policy that enforces run ID rather than workflow ID. I can have a policy that says "I only trust builds from...

Copying response from a Fulcio issue (https://github.com/sigstore/fulcio/issues/250) on this topic: There are no current plans to include the Fulcio root in the macOS or Windows trust stores. The way that...

Looks like there's inconsistent behavior, `cosign sign ... --output-certificate cert.pem` does not base64 encode the output. We just need to fix it for sign-blob.

This may have been to handle DER-encoded certificates, but we only return PEM-encoded.

We're discussing a rollout plan - Will ping this PR once Fulcio's been updated