dlorenc
dlorenc
This isn't fully ready yet, but I was able to get minikube booting with it.
I'm still not completely happy with this code, but I wanted to send it out early and see what you thought @zchee.
```shell % COSIGN_EXPERIMENTAL=1 cosign verify gcr.io/distroless/base:debug Error: no matching signatures: main.go:46: error during command execution: no matching signatures: ``` The others are signed though: ```shell $ COSIGN_EXPERIMENTAL=1 cosign verify gcr.io/distroless/base:nonroot...
This accompanies a [full proposal](https://github.com/opencontainers/image-spec/issues/827). Fixes https://github.com/opencontainers/image-spec/issues/827 Signed-off-by: Dan Lorenc
# OCI References **New March 27th 2021**: The `Testing` section below now shows some validation to attempt to prove that this does not break existing clients. **New March 28th 2021**:...
- Where should they live (what registry)? - Who rebuilds/maintains them? - Where should the source/config live?
From a discussion with @asraa, we should figure out reasonable size limits for all types and enforce them in type validation.
We could send some patches upstream, or build these ourselves. We don't really need them to come from upstream, it's just convenience. It's not even clear they intend for these...
Right now our API layer is tightly coupled to the storage layer. The API types directly turn into storage types, even though there is tons of validation and canonicalization first....
It might make sense for organizations that run Rekor internally to use the timestamp server but without the transparency log. We should document how to do this easily.