asraa
asraa
Will tackle factoring out as a follow-up, want to resolve the question.
> EntryID is mainly useful if the same UUID exists across shards, and you need to be able to specify which one you want. I think my problem though was...
I guess for now we'll table this and at least fix this behavior! I'll file a follow-up issue about client/cosign verification with sharding.
ping @haydentherapper or maybe this should just go in an internal cosign package?
First thanks so much for taking a deeper look! Two comments (1) The generation of UTC if my mistake, since I manually set the Expiration and didn't convert to UTC...
From @trishankatdatadog > Yeah, this could be related to the old key_hashing_algorithms kerfuffle (TLDR: we allowed using SHA2-256 and/or SHA2-512 to compute different, collision-resistant keyids for the same key).
I don't know if tekton chains wants to/can use sigstore/sigstore's wrapped signer, but right now it doesn't and it doesn't have parity on this issue. @priyawadhwa
> we will handle this by adding the TSA intermediate and signing certificates to TUF. Rekor will pull the certificate chain from TUF, and clients will be expected to verify...
Some comments. WDYT? * I know the spec says the cert should be PEM encoded, but the JSON marshalling in go really doesn't like newlines in the strings. Any suggestions?...
> Could we please mark this PR as draft if it's not yet ready for review? slightly_smiling_face Sure! On that note, @mnm678 do you think this should be in a...