Hayden B
Hayden B
@ianlewis, did you have a code pointer to where bundles are generated in slsa-github-generator? I was just poking around this. Other Sigstore clients are using `.sigstore.json` as the extension for...
Just filed https://github.com/slsa-framework/slsa-github-generator/issues/3750 to track bundle output.
Thanks for the pointers! I would suggest we pursue Sigstore bundles in https://github.com/slsa-framework/slsa-github-generator/issues/3750 as that gives us an easy way to bundle DSSEs with the necessary verification material for offline...
I'll mention that the Sigstore bundle should work for private PKI as well. We've designed it to primarily support the spec-compliant path but it's decently flexible - timestamps aren't required,...
@hectorj2f @cpanato Any suggestions?
Wouldn’t this be needed for supporting provenance for the Java ecosystem? To clarify, this issue was to track adding support for the DSSE rekor type on signing, as we only...
Will hold til v3
@hectorj2f @cpanato We're about push out a major release. Do we want to clean this up now? Can you also remind me (and the other maintainers @steiza and @cmurphy) what...
We recognize that much of cmd/ is untested but we should use this opportunity to improve coverage. I'd recommend adding tests for the changed function, and refactoring if needed so...
The root cause is that `--certificate-chain` is not a bundle, it's the chain to verify `--certificate`. The chain should be compromised of PEM-encoded certificates starting with the intermediate and ending...