asraa
asraa
Yes!! We were talking about this together in the Sigstore world and definitely think it's useful to start with the Sigstore TUF clients. There's a starter [conformence tests](https://github.com/trailofbits/sigstore-conformance) for Sigstore...
I'm going to start a high-level doc about this this week > Some of the things the libraries disagree about include whether it's possible to point at an on-disk/in-memory TUF...
> pre-submit with a non-signed attestations You can use something similar to the docker workflows -- where the `sign-attestation` step or job is gated by an if statement of whether...
ping -- does this need another review after a merge?
Update here: detect-workflow-js works this way so the remaining item here is to (after ensuring some stability in that new action) to deprecate `detect-workflow` and replace with `detect-workflow-js`
I think this is done, no more references to laurentsimon's personal repo :)
Is there anything stopping delegator from PR events? I believe it should be able to output unsigned attestations if htere's a guard on the sign-attestations step.
This is done as well
> @asraa when you say "lightweight" do you mean in terms of API and developer ergonomics or in terms of the dependency footprint? still lightweight in terms of dependency foot...
> Hey, does that mean that the following [cosign/cli/policy_init.go](https://github.com/sigstore/cosign/blob/main/cmd/cosign/cli/policy_init.go) is unused and should be removed as well? Yes, I believe so - the only relevant TUF code is under the...