Hayden B
Hayden B
I'm +1 to all of these changes, thanks for putting this together! > In some instances, we may want to allow a client to provide a *x509.CertPool This also will...
> And if so, is there a meaningful difference / does that allow malicious use that wouldn't be allowed if they were separate? It shouldn't allow any malicious behavior. x509...
I kicked off tests, it's because we require approval for 1st-time submitters outside the org.
There is no 10.root.json. The reason that is requested is the TUF protocol for updating local roots, which will attempt to download roots 1, 2, and so on, until the...
Building in retries could help. Is this an error you see frequently? We haven’t seen this reported before, so I wonder if there’s something unique about the environment.
@kommendorkapten Did you have an example in mind for how to handle "other custom logic that would require access to the timestamp and trusted material"? Is your thought to keep...
Completed as per #351!
Moving this to draft.
Going to close this as we work towards a v3 release. Feel free to reopen at a later point. I'll also note that signatures and other verification metadata will now...
This is used beyond just Sigstore Go infra and clients, as this contains useful crypto utils. We had this discussion with KMS awhile ago. I thought Go was smart enough...