Hayden B

Ah, this is all scoped to BYO PKI. For the first point, that is reasonable to not require the flags since you’re passing the certificate. The logic would look something...

Yea, this seems like an issue because we had previously supported certificates like that. A sub command should help this, but for now, I think the easiest option is to...

The other option is adding some flag that says my certificate is non-conforming (effectively a BYO flag), but I don’t really think that is great user experience. cc @znewman01 thoughts...

@nsmith5, do you want to check out https://github.com/sigstore/cosign/pull/2633 locally and check to see if that mitigates the second issue?

@nsmith5 Been thinking a bit more about how to fix the first issue with requiring the identity flags. The problem is that even if we remove requiring the flag when...

> I feel like this way we don't ever really need to open up a flag like --allow-all-identities, but I'm not sure if I'm missing a use case in this...

That sounds like a great feature!

LGTM, thanks @znewman01! One more immediate AI, a part of minimal changes, is to complete https://github.com/sigstore/cosign/pull/2633 as a fix for verifying with a provided Fulcio-like certificate.

Hey @avishayil, I haven't had a chance to fix this. Can you confirm which command you're running that is failing for you? For OCI, you can also run `cosign attach`...

To confirm, does that error occur during `cosign attach` or during `cosign verify`? On verification, you'll need to specify `--insecure-skip-tlog-verify=true`. If this occurred during attachment, we can investigate why as...