Hayden B
Hayden B
Just wanted to check in, did you have any questions about these suggestions?
Closing as this is currently being worked on.
One comment from the linked thread on rekor is that it is possible to have a freeze attack against local metadata up to the expiration of the timestamp. This would...
Of course, thanks! For some background info: Sigstore ships its [root of trusts](https://github.com/sigstore/root-signing/tree/main/targets) to verify certificates and log entries via [TUF](https://theupdateframework.io/). I'd suggest first tackling https://github.com/sigstore/rekor-monitor/issues/51, to integrate a TUF...
To test against an instance of Rekor, you can take inspiration from https://github.com/sigstore/cosign/blob/main/test/e2e_test.sh
Implemented, pending calling from a GitHub action. https://github.com/sigstore/rekor-monitor/pull/472
Here are the Sigstore OIDs we should support monitoring for: https://github.com/sigstore/fulcio/blob/main/docs/oid-info.md
This is now completed!
This one came up again, when an entry had an incorrectly encoded extension in a certificate. We really need to fix this because it makes catching up exponentially harder with...
This sounds good to me. Overall this needs to be reworked and each of these should be able to fail independent of one another without causing the verifier to stop.