asraa
asraa
> One to add a flag just to say “online lookup”, That's the current scope! Feel free to add a follow-up issue for the second. And yeah: I think if...
Added a description about that in the issue of non-goal and that it would require state checking for full paranoia mode.
I'll be working on one change to refactor and simplify the logic, TBA.
Hey! We just released the security fixes and the code is refactored (and tested). If you rebase your PR (or might be easier to redo....) I think it'll be good...
> job_workflow_ref may be unnecessary if we can construct it from other claim values like workflow and ref. I don't think that's correct. In your link `The workflow, ref, and...
> There was conversation in https://github.com/sigstore/fulcio/issues/624 about including the run ID (run_id), run count (run_number) and attempt count (run_attempt). We should decide if these should be required for Fulcio certificates....
> This is a blocker for releasing the new Rekor since we no longer allow the upload of 0.0.1 intoto entries, unless we want to ease that restriction. What about...
+1 on the general notion of sub-directories based on types > Including these would let us identify the individual pod that ran, similar to how we can ID individual GitHub...
Was this a regression due to https://github.com/sigstore/cosign/commit/c5fda01a8ff33ca981f45a9f13e7fb6bd2080b94? It seems related, but haven't checked the internals. @mattmoor
Agree that if `--type` is not specified, all valid attestations probably should return