asraa
asraa
> Thanks, I think your suggestion would indeed at least allow specifying a custom in toto attestation format, which is a good starting point. > But I wasn't able to...
Update: After talking to lots of folks about this problem, I think here's the path forward: Tackle these problems separately: 1. Where do we store or attach verification material for...
One AI for tracking: Clean up the `GetRekorPub` overrides https://github.com/sigstore/cosign/pull/1932/files/81a86c3c4b79545d0a009ebb4d4ec77a8c1b76e8..2805823eaa317d931f5b6cb3d196aab3f52a5ed2#r884674685
Another one: testing verification failure and TUF object closure https://github.com/sigstore/cosign/pull/1932#issuecomment-1142238581 https://github.com/sigstore/cosign/runs/6643745610?check_suite_focus=true ``` error: failed to create job: admission webhook "policy.sigstore.dev" denied the request: validation failed: failed policy: image-policy-keyless-with-identities: spec.template.spec.containers[0].image registry.local:5000/policy-controller/demo@sha256:903d83d6d129a07eda4aa5e39bc59471de598b9e5930acdc217c4184e94fddbd...
Cleanup `GetEmbedded` usage, but still keep easy-to-test https://github.com/sigstore/cosign/pull/1921#discussion_r885737391
Another one: Cleanup the configurable remote https://github.com/sigstore/cosign/pull/1921/files#r882887941
Load all targets into memory at initialize to save time reading/writing to disk: https://github.com/sigstore/cosign/pull/1921#discussion_r885966545 DONE: https://github.com/sigstore/cosign/pull/1953
`TUF` Object concurrency fix: https://github.com/sigstore/cosign/pull/1941 The leveldb underlying store cannot be used by multiple threads, causing failures where the local cache cannot be accessed. Fix by only creating a writeable...
One more: Initialize CheckOpts for verification material with TUF, do not invoke our TUF client inside library functions. This will make it infinitely easier to test.
Re-opening, the remaining items are: * Cleanup the `GetEmbedded` and `GetRemoteRoot` * Consolidate the Rekor pub overrides * Set RekorPubs in CheckOpts as we do for Fulcio roots so we...