dlorenc

Hmm, if they're unsigned them I'm a little worried about how this works, we can't verify them using the verify flag, can we? Could you describe the use case a...

+1! Let's do it!

What about a command to inspect the bundle? Instead of verify, cosign inspect? I agree this is usage is dangerous and that we should remove it. It's also useful for...

Hey! This might be a better question for slack. This is definitely possible, but the right approach will vary depending on your build system and security scanner. Can you ask...

Discussed in slack, closing!

Go plugins are slightly problematic for this use-case. I don't know enough about PCKS11, but is that a generic enough API to work with most remote systems?

I think I understand now, thanks everyone for the discussion! This is a case of the standard in tree vs out of tree go extensibility problem :) crypto.Signer is a...

PKCS11 should work. I'm not sure when we'll get to it, but happy to help if you're interested in giving it a try!

> It has been brought to my attention by one of our engineers that there is already the [CertSignVerifier interface](https://github.com/sigstore/cosign/blob/main/cmd/cosign/cli/sign/sign.go#L406) which implement's sigstore's [SignerVerifier interface](https://github.com/sigstore/sigstore/blob/v1.0.0/pkg/signature/signerverifier.go#L30), and it is [used by...

We should definitely fix this.