Colleen Murphy
Colleen Murphy
The latest change adds back the `root.NewLiveTrustedRoot` TUF fetch, now guarded by environment variables so the user can opt in. Using environment variables seems to be pretty common in cosign...
@steiza thanks for the summary, I have a couple of minor clarifying questions: > This doesn't make sense - if you're using TUFv2 you're going to have a trusted root...
I see now how trying to switch the internals of cosign's individual key material fetching functions isn't going to result in a seamless outcome. I'm afraid, however, that conditioning the...
I've updated this PR to approximately implement the plan I laid out in [my comment](https://github.com/sigstore/cosign/pull/3844#issuecomment-2389974709). I've done some light manual testing but it will need significant e2e and unit testing....
@haydentherapper > For verification, root certificates should be pulled through TUF through an API in sigstore/sigstore. We had started a refactor a long time ago to move TUF logic into...
Addressed comments, added unit tests mainly for `initialize` and for the fulcio verifier which has the tricky detached SCT handling, added an e2e test that uses trusted_root.json, and fixed several...
Unable to reproduce the conformance test issue because of a different python issue, also appearing here https://github.com/sigstore/cosign/actions/runs/12717693057/job/35454646340?pr=4006
I think this has some overlap with https://github.com/sigstore/cosign/issues/3548, should they maybe be combined?
@haydentherapper @bobcallaway
Removed rekor-tiles from the CT config so the CI won't try to deploy it. Like some other charts, it has a hard dependency on external resources and can't be deployed...