Hayden B
Hayden B
Timely ping, we just deployed to prod an hour ago! Can you test against prod?
As I talked about in https://github.com/sigstore/cosign/issues/4019#issuecomment-2613569440, I'd like to see Sigstore libraries be unopinionated. They should be signature verifiers, and going up the stack, there should be DSSE verifiers, intoto...
Yep, json is all that Rekor supports currently, though we could support more than that. It means that other clients have to understand how to canonicalize non-JSON DSSEs, which I'm...
No, they don't currently. Rekor only understands intoto payloads - https://github.com/sigstore/rekor/blob/main/pkg/types/dsse/v0.0.1/entry.go#L113 and https://github.com/sigstore/rekor/blob/main/pkg/types/dsse/v0.0.1/entry.go#L159
(catching up from being out) It's part of the canonicalized structure. The service computes the payload hash based on the provided payload - https://github.com/sigstore/rekor/blob/main/pkg/types/dsse/v0.0.1/entry.go#L247-L251
For Rekor, I don't believe we have restrictions on the DigestSet. I've been looking over the [code](https://github.com/sigstore/rekor/blob/main/pkg/types/dsse/v0.0.1/entry.go#L128-L130) and don't see where this restriction is present. Do you have an error...
We don't have support for that, though it should be straightforward to implement it.
A dedicated command like `update-key-pair` sounds good.
@dependabot rebase
Don't want to bump to 1.24 yet.