asraa

Another small addition: > I ask because I'm having a trouble explaining the benefit of https://github.com/slsa-framework/slsa-github-generator over this, specifically in the context of the npm RFC above. If both are...

> you get level 3 for build without the need to fetch / parse a workflow Big +1 here. The value of having a SLSA 3 attestation here is that...

cc @haydentherapper

It also seems like this adds all staged targets to the a delegation if we do something like: `repo.AddTargetsWithExpiresToPreferredRole([]string{}, nil, expiration, delegation-foo)` for better (bad) compatibility, could we restrict this...

> Hi, it seems that the spec versions are already initialized to 1 in types.go Hey! It's not spec version, but the version of the metadata file.

Hey @pbrkr! The way that you have described it is what `cosign verify-blob` performs. (caveat: I think cosign may not support pgp signature searching) In my opinion, the functionality for...

Agree that we should definitely export verification methods. I can take a first stab are `./rekor-cli verify` and include some factoring out of the verification methods to start.

How often does someone append signatures on to an envelope and then trigger an upload without knowing the public key of the previous sig? If (1) is locked in, it...

> These APIs might need to change change to support delegations, since they implement key management for roles. However, delegated targets keys are associated with delegations, not roles (see https://github.com/theupdateframework/specification/issues/214)....

> What I'm unsure of is whether it makes sense from a user's perspective to update the threshold for all incoming DelegatedRoles, if there are multiple delegatees. I don't think...