Hayden B
Hayden B
Yea, I noted on the Slack thread that this may not be an issue if the kind or canonicalized entry is persisted.
You could also work around this by specifying the DSSE's [PAE](https://github.com/secure-systems-lab/dsse/blob/master/protocol.md#:~:text=Functions%3A-,PAE,-()%20is%20the%20%22Pre) and using `cosign sign/sign-blob` rather than `cosign attest/attest-blob`. This could either be done by a separate tool or a...
Will review once 1595 is agreed upon and merged
I'm good with this approach to attempt verification twice. The other option would be plumbing through which rekor type is being verified, and only use the -ph variant for hashedrekord....
Will take a closer look Monday, but overall LGTM
This is also blocked by Fulcio support, correct? Either we'll need to be OK with Fulcio certifying ed25519ph keys as ed25519 (my preference), or fork x509.go edit: sorry, ignore part...
I believe this is missing the trial verification and the last comment about limiting when the key is the prehash variant?
@dependabot recreate
At HEAD, this is WAI: `--certificate-identity or --certificate-identity-regexp is required for verification in keyless mode` - You need to specify the identity flags now, but we haven't updated docs for...
To confirm, is this issue saying the docs are broken, or something else? If it's just the docs, can you update https://github.com/sigstore/cosign/issues/2534?