Hayden B

Ah, I think I see the issue. You need to also attach the Rekor response ("rekor bundle") to the OCI image to resolve the issue. `upload=false` is going to prevent...

You can drop `certificate-chain` and `certificate` during `cosign verify`, since they're already attached to the container and cosign will get them from the container manifest. > I am also making...

This is because you have to configure Cosign with the roots of trust (Rekor pub key, Fulcio cert chain) from your self-hosted instance. You can either specify trusted roots via...

Hey, this is a great question. There's a few issues at play here: 1. We don't have a great UI around providing trusted roots (which could be self-signed "roots" or...

There's been no progress made. If anyone wants to contribute a PR for solution (3) I'd be happy to approve it. Longer term, pools are what I'd like to implement...

Mentioned on the PR, but I'd like to still enforce that the intermediate that issued the leaf certificate has an EKU of Timestamping, which should work when verifying the Digicert...

https://github.com/sigstore/timestamp-authority/releases/tag/v1.2.8 has been released which includes the relaxed intermediate validation. Just need to update Cosign to use v1.2.8.

Will need to investigate more. Can you confirm the ordering of the chain and the command you used?

We are working on a new version of Rekor based on Tessera. More to come!

LGTM! A few details: `--sct` can be dropped, we are deprecating detached SCTs (https://github.com/sigstore/fulcio/issues/1499). For `--bundle`, we should note this is how an inclusion proof/SET is provided. One open question...