asraa
asraa
Hey! Yes - I would definitely chat with @jku - the easiest for prototyping would definitely be the fully online GitHub repository deployment. That being said, our current tooling on...
Finding a way to see PAT attribution :)
@kommendorkapten also brings the point of when verifying newly initialized metadata and we don't expect any sigs, we are also looking to identify other properties than keys: is the data...
Should this be in a client repository? If you're speaking of the timestmap.json check for cache validity: note that this isn't part of the TUF client workflow start, this is...
I think though, Sigstore deployments and clients are in a lot of different environments, and some may prefer to configure WHEN to perform the TUF client workflow. See this doc...
> default to not using this behaviour. +1 This might address your concern @haydentherapper : I think the issue context is likely around the SCT rotation and how long-lived clients...
Closed, because will be handled by the delegation
Done in https://github.com/sigstore/root-signing/commit/fbd45af5663f4518c8ba9564e91ba688a21ae2ce Will need to figure out how to notify keyholders. Changing title.
Allow deletions here? https://github.com/sigstore/community/blob/e319d18f5a773495c7e89c19a350e382814b241d/github-sync/github-data/repositories.yaml#LL1240C31-L1240C31
Seems like a weird process, but I think it would solve the manual merges. For auto-review bot, I can switch to using https://cli.github.com/manual/gh_pr_merge, which seems to have an `--author-email`. I...