Hayden B
Hayden B
For the ask, yes, we had someone from nvidia asking about support for this in Cosign. Given it's already supported in Cosign, I'd love to see this supported here in...
> My read of that is v0.3 bundles that are not using PGI may include intermediate certificates, which I think was the motivation for requesting this change. > We could...
I'd be supportive of that design. It would make it easier to support requests like https://github.com/sigstore/cosign/issues/2568, asking for CRLs. For the interface, would we want to include intermediate and root...
Closing - https://github.com/sigstore/sigstore-go/issues/132#issuecomment-2859823066 Thank you for working on this! We'll revisit in Cosign whenever we tackle redoing the BYO PKI features in Cosign.
This should be straightforward to add, as sigstore-python supports providing URLs for the Rekor and Fulcio instances, along with either a URL for the TUF repo or a trusted root...
Here are more details: https://github.com/sigstore/sigstore-python?tab=readme-ov-file#configuring-a-custom-root-of-trust-byo-pki
+1, this is on the roadmap for sigstore-python FYI @woodruffw
Dismissing my review, seems like this isn't WAI according to https://github.com/sigstore/sigstore-go/issues/63#issuecomment-2135585754
@hectorj2f Can you take a look at this?
For Sigstore, we want to discourage doing live lookups in the log in favor of verifying persisted inclusion proofs offline. We've filed an issue (https://github.com/slsa-framework/slsa-github-generator/issues/3750) to track support for this....