asraa
asraa
> Thanks! Does Golang offer conditional compilation? Agree not everyone may want Fulcio deps/support out of the box. We could use a tag? like `go build -tags=sigstore ./cmd/tuf` that would...
We should add it to what attributes are indexed by adding it to https://github.com/sigstore/rekor/blob/ed585a3385f9d6447f886d6948554e261288bc6a/pkg/pki/x509/x509.go#L175! What do people think of renaming that function to `Subject()`? Then using https://github.com/sigstore/cosign/blob/03e66aad02cf7c987ea489cdeda1fd580b6b1fc6/pkg/signature/keys.go#L248-L256? @sigstore/rekor-codeowners
> We will replace it with an improved timestamping authority that will live in its own repository or run as a separate service. Agreed, this sounds good: rekor-tsa or something...
@shibumi and @haydentherapper pretty much summarized all the good points! :D > I really wouldn't trust the tlog entity whether it's really signed by specified email address. Just to clarify...
> Do I need an own Issuer if I want to use my own TUF root? Nope! You can use existing issuers, supplying the TUF root (e.g. Fulcio root) would...
Ah gotcha! I see. Yeah in that article it mentions you can either add your own Issuer to Sigstore's root ("Send a four-line PR to the Fulcio repo, adding your...
@Dentrax Yes! Feel free to reach out -- @rgerganov is also testing out supplying a BYO TUF root, so if there's any friction hopefully we'll see it soon!
Also: would be nice to expose client state in a readable way (expiraitons/versions of top-level meta?)
I'll take on verification of the root hash today
comments addressed! * specifically decided not to add URL references for the container data * i take the sha of the bytes passed in, which will be easy for cosign...