Batuhan Apaydın
Batuhan Apaydın
@shibumi cosign v1.4.1 with some bunch of fixes is released today as you might know, would you like to give this issue a hand? 🤩 Or I can do it...
kindly ping @mattmoor @imjasonh @shibumi, seems everything works fine. 👉 https://github.com/developer-guy/ko/releases/tag/v0.9.3-signchecksum ```shell $ httpie --download https://github.com/developer-guy/ko/releases/download/v0.9.3-signchecksum/checksums.txt.sig $ httpie --download https://github.com/developer-guy/ko/releases/download/v0.9.3-signchecksum/checksums.txt.pem $ httpie --download https://github.com/developer-guy/ko/releases/download/v0.9.3-signchecksum/checksums.txt $ cosign verify-blob --signature checksums.txt.sig --cert...
we only sign the chekcsums.txt file right now, I think it is enough for verifying sha256 of the files has not been tampered with but, the final decision belongs to...
Btw @imjasonh GoReleaser is now capable of generating SBOMs by using the Syft tool under the hood, so, that we can add that support to the ko project🙋🏻♂️
I removed the --oidc-issuer flag to enable ambient credential detection support in cosign
kindly ping @imjasonh 🙋🏻♂️
kindly ping @imjasonh
kindly ping @imjasonh
Kindly ping here; maybe we cannot add the data layer that includes `/var/run/ko` if there is no `/kodata` existing in the project. WDYT? /cc @dentrax _https://github.com/ko-build/ko/blob/5e0452ad67230076340d0e28dd8488e4370675c2/pkg/build/gobuild.go#L822-L842_
ah 🤦 I've missed that issue