asraa
asraa
FYI I think there's also some major complications around using non-sha256 when you're doing a keyless signature (uploading a rekor entry sort-of-requires that the sig was based off sha256, since...
> Ah ok, my use-case doesn't use Rekor so I didn't hit that. Gotcha! Hmmm I think ideally this is fixed through SignerVerifier exposing the correct SHA, then making cosign...
FYI you also only need the root file -- so this is the minimal first couple steps ``` Full steps involved to use staging at the moment - `rm -r...
I think this will be addressed in verify-blob-attestation, given that there's an attest-blob separate command. @priyawadhwa
> Add an optional API field for the digest Let's add some strict verification here for a digest here. I would be a little worried about user-defined OID extensions (does...
cc @laurentsimon
This also protects against 1. Entry malleability 2. The need to distribute separate sig However, this relies on trusting the CA (which we already do), but the delegation of the...
Oh no!! Thank you for the catch. It should return an `err` in my opinion. That's checking the inclusion proof and signed entry timestamp -- I think that was erroneous....
This is fixed now! Test here: https://github.com/sigstore/cosign/blob/c3c4ea961deb4ae2bc1bc5c632e269b2da129e85/cmd/cosign/cli/verify/verify_blob_test.go#L535
It's also somewhat relevant for that issue (also can't track it down anywhere) on having wrapper envelopes around DSSE to provide PKI. Provide the cosign-defined manifest: includes all of the...