Hayden B
Hayden B
We have somewhat already separated out how to fetch trust root material - each time a target is required, a TUF client is initialized and that target is requested, like...
@steiza This also gets into the idea of pools over chains which was discussed in https://github.com/sigstore/protobuf-specs/issues/249 - moving towards allowing pools of trusted certs and push chain building to the...
We should also update https://docs.sigstore.dev/system_config/custom_components/.
These issues should be distinct, though there might be some overlap when implementing. #3548 should fetch the same set of targets as the current implementation, namely the individual target files...
The Rekor bundle format is not an exact match of what's returned from the server, it's a [struct](https://github.com/sigstore/cosign/blob/e678426b3d524f15cab553e57eb6900f8280fb62/pkg/cosign/bundle/rekor.go#L23-L26). https://github.com/sigstore/cosign/pull/3248/ added support for outputting both the Rekor response struct and other...
What would those be used for? The purpose of including those flags for “cosign sign” is to attach them to the OCI image. For sign-blob, there is nothing to attach...
SG, I would also test for how this interacts with Rekor. Though this is likely related to the other issue you filed regarding precedence between keys and certs.
@mlieberman85, in addition to reaching out to some of the companies that work on Sigstore, I was planning to see if anyone from the CT community that has experience operating...
Looking forward to starting this work! Thanks all!
Thank you for the update @afmarcum! Please let me know next steps.