dlorenc

This one came from this discussion and doc: https://github.com/sigstore/cosign/issues/86 https://docs.google.com/document/d/1oyMQ-a0Uwyl9Pew7ISYUdKFfnqEp-qfk1psVFdd-o8Y/edit

> It makes complete sense to me that simple signatures couple be folded into some kind of attestation type so that we can use the same format across these very...

Confirmed with @patflynn this doesn't require any changes to rekor, dropping ga-candidate.

> @jdolitsky @dlorenc > > My apologies to direct PR. > > I wish to reopen and finalize the discussion against this specification. Are you hoping to merge this?

Cc @puerco can you double check this one?

I think the identity token flag is mostly for signing. What are you trying to upload to?

cc @dekkagaijin @srenatus Jake - any ideas if this should go here or into sigstore/sigstore? Or do we need a new "verify only" module somewhere? I forget how aggressively go...

> How can we get involved in it with @Dentrax because we are really really interesting with this topic 🤩 Go for it! I'm not sure how much refactoring would...

I think the issue here is that the verification bundle is stored outside of the attestation. It gets attached correctly, but isn't returned because there isn't enough information to verify...

+1 on speccing this out! I think we had another issue somewhere for it, but I'm not sure where.