chainloop icon indicating copy to clipboard operation
chainloop copied to clipboard

Published 20 hours ago verified publisher icon chainloop-dev

feat(integration): Integrate Chainloop in a Sigstore environment

Open jiparis opened this issue 1 year ago • 0 comments

The goal is to research the feasibility of integrating Chainloop and Sigstore by:

  • Letting users use a Fulcio instance to generate ephemeral signing certificates with the proper attributes (CTlog inclusion, OIDC attributes correctly mapped, etc)
  • Providing integration with Rekor to publish signatures in a public/private transparency log
  • generating attestation bundles in the Sigstore Bundle format (the one GitHub uses) to store the verification material
  • Ensuring the attestations are correctly signed and can be verified using the Sigstore verification specs (implemented in the sigstore-go library)

The outcome of this task would be a set of action items to tackle as part of this initiative.

### Tasks
- [ ] https://github.com/chainloop-dev/chainloop/issues/1244

jiparis avatar Jun 19 '24 15:06 jiparis