Flavio Castelli

> Thanks for the helpful insight! Can https://sequoia-pgp.org/ sign containers too? That's our main use-case we have with cosign. Relying on the same tool makes things easier to maintain. This...

It's also possible to have `sigstore-rs` download this data from Sigstore's TUF repository: see https://docs.rs/sigstore/0.3.3/sigstore/tuf/index.html

I used `ring` back in the days because there was no native support of `p384` inside of "[RustCrypto](https://github.com/RustCrypto) ecosystem". This recently changed, hence I'm fine dropping `ring` support. As for...

> I'm not proposing to drop the function of `CosignVerificationKey`. It is very useful, but need some refactoring. IMO there may be three layers for the verification key abstraction: >...

This dev dependency is needed because we want our example programs to be able to print debug/warn/error messages to the standard output. The `ansi-term` crate is being used by a...

Sorry, the last days have been a bit crazy... It's already possible to verify the Rekor data attached to a signature. I guess this is what you're looking for. Do...

> @flavio is referring to using the rekor public key for bundle verification --rekor-pub-key @lukehinds is right. This is what I was referring. Given a cosign signature object retrieved from...

I've been really tempted to experiment with sans-io. I would track that with a dedicated issue and attempt to not conflate the two things together (this issue and the one...

yes, this is what is used by oci-distribution. Just ensure you're using that in async mode. Using that in blocking mode would be an issue

Thinking more about that issue, I think this needs oci-distribution to implement better error reporting.