Hayden B
Hayden B
**Description** The timestamping authority is being removed as per https://github.com/sigstore/rekor/issues/812. We will replace it with an improved timestamping authority that will live in its own repository or run as a...
**Description** * verify should verify a signed tree head (STH) signature * verify should verify the STH signature uses the Rekor public key from TUF, not from the public key...
**Description** Currently, we must manually update the timestamping authority certificate chain every 6 months. Additionally, each instance of Rekor generates its own signing certificate on startup, so it is difficult...
**Description** In today's community meeting, we discussed two ways of supporting new IDPs: * Integrating with Dex * Adding the IDP directly to Fulcio's OIDC issuer config list We need...
**Description** Dex - Look like email, K8S - Look like a service account, Username - Doesn't look like an email, etc Context: https://docs.google.com/document/d/1o8_bXIygufgiohJGlmBzqF4_BnXCTfgh4ILgJFJxYRs/edit?resourcekey=0-YEar3v67uoT31kj83dCVvA#heading=h.oiw6nn1ucgaq
**Description** Consider the following attack: * Client generates keypair K * Client fetches a Fulcio certificate * Client uploads signature over artifact and Fulcio certificate to Rekor log * A...
**Description** As described in the [specification](https://github.com/sigstore/cosign/blob/main/specs/SIGNATURE_SPEC.md), a Rekor response can be stored and verified without hitting the log. The client should: * Verify the SET * Verify that the signature...
**Description** **Version** https://github.com/sigstore/sigstore/actions/runs/3176930023/jobs/5176789186
Witnesses monitor the consistency of the log, verifying that the log is append-only and immutable. Roughly, the verification process for a witness is: * Persist a checkpoint (signed tree head)...