Jussi Kukkonen
Jussi Kukkonen
> I think so -- the way I'd frame it is "I have all of the local materials needed for a Sigstore root of trust, and I don't want to...
> > 2. No offline mode: It should be possible to make a _user decision_ to stay offline (I other words _"I'm running 'sigstore verify' without a network connection but...
I think this sounds quite reasonable. * first step is `--offline` that works by side-stepping TUF altogether, just looking into the target cache to find the key material. This is...
I found one more (possibly different) requirement: > we should make sure that TUF refreshes fail gracefully without a network connection. @di What does this mean exactly? This does not...
thanks for the ping... We discussed the TUF aspects with @woodruffw a couple of weeks ago but it seems I did not update the issue (sorry): * the "offline" feature...
I'm planning to add internal support for this while fixing #821: see https://github.com/sigstore/sigstore-python/issues/821#issuecomment-1855477728
#351 is going to make this even more visible in at least a couple of places. It does things like: ```python updater = TrustUpdater.production() if args.ctfe_pem is not None: ctfe_keys...
> In case the user needs to provide multiple roots, it would be clear and intuitive from the flag name itself that it is a valid and supported use case...
#844 is merged: * this url-per-key system can now be implemented * this likely means we can simplify how some components are initialized: e.g. RekorClient possibly doesn't need different constructors...
I did some quick tests in https://github.com/jku/sigstore-python/commit/50418201b5ade7ddaa7dc2fdd9e86a7bccf04b42: * backwards compat decision needs to be made: likely we should support verifying already existing certificates that contain github OIDs only, like the...