Brian DeHamer
Brian DeHamer
Signed-off-by: Brian DeHamer #### Summary Adds some plumbing to automatically codegen types for the sigstore bundle format from the published protobufs. Types can be re-generated by executing the following: ```...
**Description** Part of the verification workflow should include verifying the Rekor entry. This should include support for both the offline case (where a rekor bundle is provided) and the online...
[Rendered RFC](https://github.com/bdehamer/rfcs/blob/bdehamer/sbom/accepted/0000-sbom-command.md#sbom-generation-for-npm-projects)
Closes: #3577 #### Summary Adds a new spec doc which describes the scheme for publishing/retrieving Sigstore bundles to/from an OCI registry. [Rendered version](https://github.com/bdehamer/cosign/blob/bdehamer/bundle-spec/specs/BUNDLE_SPEC.md)
Many of the Sigstore clients already have support for generating/verifying the [protobuf bundle](https://github.com/sigstore/protobuf-specs/blob/main/protos/sigstore_bundle.proto), but adding this support to tools like cosign and the [policy-controller](https://github.com/sigstore/policy-controller) requires that we standardize on an...
Fixes #526 Replaces https://github.com/sigstore/sigstore-js/pull/552 #### Summary Updates `@sigstore/sign` to use "dsse" as the default Rekor type when submitting DSSE-wrapped payloads. This replaces the current "intoto" type currently in use. NOTE:...
Updates the list of recognized permissions to include the new `attestations` permission (see [Using artifact attestations to establish provenance for builds](https://docs.github.com/en/actions/security-guides/using-artifact-attestations-to-establish-provenance-for-builds))
Would be helpful to add TypeScript to the list of supported languages for protobuf bindings. Could be used as part of [`sigstore-js`](https://github.com/sigstore/sigstore-js)
Updates `workflow-v1.0.json` with support for the new `attestations` permission (per the [artifact attestations](https://docs.github.com/en/actions/security-guides/using-artifact-attestations-to-establish-provenance-for-builds#generating-artifact-attestations-for-your-builds) feature). I wasn't sure if I should add a test for this change as it appeared that...
We already have message types defined that describe the inputs to the verification process (`Bundle`, `TrustedRoot`, `ArtifactVerificationOptions`) so it seems reasonable to also define a standardized verification response. This will...