Hayden B
Hayden B
Thank you @ianlewis for the code pointer, a test release worked as expected!
> Given that rekor will be running v1 and v2 clients simultaneously during the transition period, clients with code to determine the threshold of tlog entries would need to know,...
My 2cents: This is a breaking change on the verification path regardless, because we're changing the body of the response, what's used to compute the leaf hash. TLE v2 lets...
The Rekor v2 dev team discussed this offline and decided to stick with the current type for now: * One of the issues we uncovered, that Rekor v2 wasn't returning...
This is now complete.
@cpanato any idea why? At a glance at documentation, I don’t see anything about configuring checksums
@cpanato Do you know why we don't sign RPMs and Deb packages with the artifact key? @scruloose this is a bit of a chicken and egg problem. If you can...
@cpanato Yea, the files you linked are for Cosign signed with Cosign. It looks like we're lacking a binary signed with the artifact key.
SGTM, would you like to make the change?
We've completed https://github.com/sigstore/sigstore/issues/1658 to offer a plugin interface for KMS providers. Organizations can independently and privately develop & distribute their plugins without needing downstream updates to libraries to support additional...