John Kjell
John Kjell
Given how we're trying to (re)define this, the examples seem orthogonal to the definition. It sounds more like we're defining a property of the Build Platform, of which most CI...
Definitely agree with this. I found what looks like a good set of alternatives from the Sigstore cosign install docs: https://docs.sigstore.dev/system_config/installation/. It'll take a bit to add all of these...
Need to really understand the UX of this so we end up with predictable behavior
Appreciate the help @DataDavD. Let us know if you have any questions or need any help along the way.
Closed by https://github.com/in-toto/witness/pull/292
I've been thinking about this from the verification side and parallels to SLSA Build Provenance. The docs for build provenance today separate [verifying artifacts](https://slsa.dev/spec/v1.0/verifying-artifacts) and [verifying build platforms](https://slsa.dev/spec/v1.0/verifying-systems). Is there...
@MarkLodato that's great framing and is really helpful for my understanding. >I don't think a VSA fits here since we're discussing properties of a range of commits (as opposed to...
Closed by https://github.com/in-toto/witness/pull/381 and included in Witness releases `v0.4.0` and later.
Can we add the same additional flags that Sigstore uses? https://docs.sigstore.dev/verifying/verify/#keyless-verification-using-openid-connect `[email protected]` and `--certificate-oidc-issuer=https://accounts.example.com`
@ChaosInTheCRD I've been thinking a bit about this and I think [this](https://github.com/in-toto/go-witness/issues/168) might be a blocker for this PR. One of the critical things to verify on a Fulcio cert...