Hayden B
Hayden B
Something to learn from is how openssl implements this - You pass a set of trusted certificates (typically root certs) and "untrusted" certs used for chain building (typically intermediates). I'd...
Do you know if https://github.com/theupdateframework/rust-tuf would be compatible or is maintained more actively?
- [ ] We should also look at creating docker compose scripts that pull in tagged containers at the latest version rather than rebuilding the containers. We can check in...
TIL, I wasn't aware of this feature! This is neat, would be a nice way to enforce multi-party review for releases. I'm supportive of adding this as an extension. cc...
We'll get this rolled out shortly!
For GitHub, `environment` is only included when running a workflow from an environment. Fulcio currently expects that every configured claim has a value. Will need to think through how to...
@lkatalin I know RedHat recommends rekor-cli. Do you have a use case in mind where you need only log entry verification without signature verification, or could Cosign be sufficient?
@bobcallaway Do you have access to sigstore-bot and can do this? (Also, how do we get access to sigstore-bot?)
Wrote this up a bit ago to help onboard a new provider who didn't want to have an interactive signing flow where a user was present. This doc outlines the...
I'd be supportive of reducing to a day, but we should try to get community input on this given it would increase the frequency of online queries during verification.