asraa

> I really like the approach of using docker to accommodate complex build systems. We could "easily" wrap this up in a reusable workflow to streamline the the work. +1!!!...

Are you planning on signing the provenance in order for the output of the trusted builder to be non-forgeable? If so, where would you hold the provenance? Maybe on the...

> @asraa do you know what this is? Yeah, that's right -- it's because old versions of cosign just had a faulty TUF client that couldn't handle any updates to...

I think it's the same as well.

Another use-case: is to test the configuration. For example, I didn't realize that env vars are case-sensitive and ran into this problem ``` env variable empty or not set: {{...

I believe this is because we wanted the entry UUID and the `TLogUploadInTotoAttestation` func does not provide that. We can just calculate it from the entry body.

Some updates from the official sigstore bundle PR: the bundle would be a JSON that has the following format, with a sigstore bundle intoto type: ``` { "mediaType": "application/vnd.dev.sigstore.bundle.v1+json", "rekorEntry":...

> each of the certificates listed in the Targets metadata have additional metadata in the [custom](https://theupdateframework.github.io/specification/latest/#custom) field that describes their usage. While this will work currently for all top-level targets,...

> To be clear, are we recommending targets are searched by delegation path not by the usage field in custom? Searched by path (not necessarily delegation path): for top-level targets...

> [TUF and target discovery](https://docs.google.com/document/d/1rWHAM2qCUtnjWD4lOrGWE2EIDLoA7eSy4-jB66Wgh0o) Speaking of this: the best way forward is probably to keep Sigstore TUF root with only a top-level targets, where we CAN do path filtering...