asraa
asraa
> that I find it quite useful to be able to list them all. I would also like to at least keep a command that would list targets, but maybe...
@znewman01 mind if I update this?
@jku @mnm678 could you PTAL? TAP-12 key ID removal is done, and so is some minor go-tuf snapshot length/hashes presence bug is resolved too.
@lumjjb @SantiagoTorres For your opinions: Is it better to consider that a `rekord`/`hashedrekord` type can be a (SLSA) provenance, or loosen the `--type intoto` to allow for signatures on intoto...
> Will https://github.com/sigstore/rekor/pull/973 fix this one? @rbehjati took a review on this PR: This PR would allow you to upload the following proposed entry to Rekor in code: ``` re...
> +1! I think we probably want to actually switch the way we sign containers from SimpleSigning over to the OCI Descriptor, but we could always support both in rekor:...
> Ah I remember now! sign-blob needed to use the HashedRekord type, but signing a container could use the other one! Yep that's what I imagine! I also made some...
Could we be more explicit with the requirements here for this issue?
Thanks @tiziano88! This has been a common source of problems when other users need to verify entries. Which is also complex, so agreed there needs to be a central library...
Related: https://github.com/sigstore/rekor/issues/891 This is useful because currently some clients don't run a full verification. In the cosign link above, the function verifies the inclusion proof and the SET. However, validating...