dlorenc

> It would be better privacy, and less surprising, if gitsign didn't pull information like email addresses into the commit. I agree. The email gets returned from GitHub during the...

Oh wow, thank you for the pointers!

Yep, just for stable identification and non-repudiation.

I think here it's about compatibility. Git requires x509 s/mime signatures here and assumes RFC3161.

I think we should consider prioritizing this one. The RFC3161 stuff is kind of ugly, but it's integrated into openssl and git when it verifies these signatures. It would make...

cc @znewman01

This is definitely doable but a bit tricky, there are a few options. A github action can do some of these checks, but must be manually configured by each repo...

There's an issue tracking size reduction here: https://github.com/sigstore/cosign/issues/1462 FWIW I don't think 10mb is doable today, the Go binaries are just too large. I've seen it hit ~20mb with compression...

For something like an RPM, I think this would consist of changing the API to allow specifying an RPM file (URL or raw) and public key. The server would then...

Stepping back a bit, I think we might want to rename (or maybe alias for compatibility) the in-toto type to be a DSSE envelope, since that's more semantically correct. An...