asraa
asraa
v2 sounds good to me as well: it doesn't BLOCK clients anymore.
Sigstore's current TUF repository is here: https://github.com/sigstore/root-signing/tree/main/repository/repository!
> I'd say the original sigstore metadata was incorrect in not following the TUF spec. Best to use the Z suffix specified in the spec. WDYT @asraa ? And yes!...
Reopening for the Fulcio one
> It would be nice to give users the option to choose between Rekor or the TSA! We can start with an env var for trusting a TSA root CA,...
@hectorj2f how do you plan to approach it? I think we have a lot of efforts by many people in the same direction: e.g. the Sigstore bundle has support for...
> @hectorj2f can start with adding in the env var, and TSA support for images. IIUC nobody else is working on that in cosign, so work shouldn't be duplicated. We...
I'd probably expose this an option for `VerifyOpts` like `OnlineLogVerify` actually: `RekorOptions` makes more sense! edit: actually i don't know. now I'm thinking `CheckOpts`.
> I think yes, otherwise there’s not much point to the online lookup. Part of it is to make sure Rekor isn't misbehaving: Rekor serves you an offline proof, and...
Honestly, part of my motivation is that no one detected the Rekor outage in staging because no one HAD the option of using Rekor online for containers!