Hayden B
Hayden B
#4050 has been merged!
Going to call this wrapped up now. We've got one open PR for fixing an issue with ed25519 keys, but otherwise this is done.
Love this idea! As Phil said, what you want is to know that what you're verifying came from some repository - You shouldn't need to know the exact structure of...
@cpanato, the motivation is to simplify CI/CD OIDC provider onboarding. Rather than have each OIDC provider have to modify code to add a new provider, they instead should only need...
Once this PR is ready for review and all comments addressed, can you post here?
In terms of release, I'm planning to cut 1.5 from before this PR, then we'll merge this and the other related changes and cut v1.6
Some suggestions: * Have a single config.yaml file which contains all of the trusted providers * Remove config/fulcio-config.yaml, double checking that it's not used * Add the email and description...
@cpanato can you review the updates around CI?
Thanks for the feedback! Agreed that we need to think through the UX for CI systems more. As a first step, warning on overly permissive regex (.*/.+) would be good.
That's fine, this metadata is the root of trust for the TUF metadata. As per [the TUF spec](https://theupdateframework.github.io/specification/latest/#load-trusted-root), a TUF client will download N+1 versions until it receives an error,...