dlorenc
dlorenc
This came up in the context of OPA in slack - they'd like to provide a builtin for verifying signatures, which would ideally depend only on the Go stdlib. Cosign...
It looks like GitLab offers JWT tokens as well to CI jobs: https://docs.gitlab.com/ee/ci/examples/authenticating-with-hashicorp-vault/#how-it-works They're available as the `CI_JOB_JWT` environment variable, and the endpoint is `https://gitlab.example.com/-/jwks`. It sounds like they don't...
We now have support for SPIFFE IDs, and federation through https://github.com/sigstore/fulcio/pull/107! This means we can issue certs for subjects like `spiffe://somedomain.com/foo/bar`, and authenticate them against an OIDC endpoint. Right now...
https://github.com/opencontainers/image-spec/blob/master/descriptor.md All the other payload formats I've seen look roughly like this one with slightly different names and structures. We already have this one standardized with library support, why not...
I've had some more time to look over the signature format here: https://github.com/notaryproject/nv2/blob/prototype-1/docs/signature/README.md Here's some initial feedback: - The self-signed x509 usage (at least as documented) seems superfluous. A simple...
http://blog.npmjs.org/post/171556855892/introducing-npm-ci-for-faster-more-reliable
I see a setting to enable/disable the debugger, but is there anything else in this image for stackdriver integration?
I think there are two main "audiences" for these requirements (maybe more): - Developers that publish open source artifacts - Organizations that operate build systems (company internal, public services, community-run,...