Hayden B
Hayden B
> if the clients operate as tuf spec requires This is the issue, at least for the Go client, it allows for configuration that doesn't follow the spec. In Cosign,...
Oh sorry, I re-read, you're saying to keep the timestamp validity the same but just up the frequency of signings. Gotcha, that seems good! Though I think we should think...
I agree that option 1 is what I'd recommend for those who don't need to deal with TUF environments. You'll see examples of providing a trust root in https://github.com/sigstore/sigstore-python?tab=readme-ov-file#configuring-a-custom-root-of-trust-byo-pki. I...
Sorry for the delayed response! Great discussions thus far. As Fredrik and Jussi mentioned, this isn't a regression from Rekor v1, so I don't see this as something that needs...
I’d recommend doing this in a non-breaking way given we just rolled out 2.0 and shouldn’t introduce breaking behavior right away. This might introduce a lot of flag confusion though,...
Some of the signing and verification refactors might also tie in with the Sigstore-go library work.
One detail, Cosign does not create ephemeral keys backed by KMS. Cosign either generates an ephemeral, in-memory key, or uses a provided key either in KMS, an HSM or on-disk....
Partially completed as of https://github.com/sigstore/sigstore/pull/1951/
@steiza I think this is complete at this point, want to close it out?
cc Sigstore TSC @bobcallaway @trevrosen @SantiagoTorres @lukehinds @priyawadhwa, who reviewed this proposal as well.