asraa

> I understand the conclusion reached here: when sigstore-python adds TUF support, should we discover the CT key(s) via their custom metadata, their filename, or some other mechanism? Since Target...

So I wonder if maybe something with the staging instance got messed up. One thing that would be great for debugging is instead of just `--output-signature` which writes the signature...

Amazing, you are the best! I was able to verify this with cosign ``` $ SIGSTORE_REKOR_PUBLIC_KEY=rekor.staging.pub COSIGN_EXPERIMENTAL=1 ./cosign verify-blob --signature python.sig --cert python-cert.pem --rekor-url https://rekor.sigstage.dev python-readme.md used alt pubkey tlog...

> That's super weird! Where does the log index come from in that case? It's coming from the [Inclusion Proof](https://github.com/sigstore/cosign/blob/fdceee4825dc5d56b130f3f431aab93137359e79/cmd/cosign/cli/verify/verify_blob.go#L365). We know this is Rekor's iffy behavior: https://github.com/sigstore/rekor/issues/877#issuecomment-1162066478 Basically, the...

cc @jku

> This has some advantages architecturally: as the Merkle tree grows, each append will be slower, and batching helps, so we may want to batch for reasons other than security....

cc @kommendorkapten @joshuagl for sigstore. Right now, all we ever get from `client.Targets()` is the top-level metadata. We can search for `client.GetTarget('rekor/rekor/rekor.0.pub`)` but we don't know these apriori. Essentially right...

> Therefore, I don't think we can provide API for this in go-tuf. Hopefully we can provide API in go-tuf to make the application developer's life easier. Yes! I think...

I've always been curious why the `rekor-cli get` did not support getting by propsed entry. I assumed that `get` should use `SearchLogQuery` which can handle the UUID, log index, and...

> The main benefit would be to fetch multiple log entries in the context of a single HTTP request. OH I see. That was probably the entire intent of the...