Jussi Kukkonen
Jussi Kukkonen
> sigstore/sign.py:208: error: Module has no attribute "DsseV001Schema"; maybe "DsseV001Schema1", "DsseV001Schema2", or "DsseSchema"? I suppose we want to use `DsseV001Schema1` and strictly pin sigstore-rekor-types==0.0.13? Or is `DsseSchema` an option?
I won't comment on the Non-fulcio CA idea since I'm not really sure what that would mean -- following is likely only relevant to private deployments. I think our expectation...
> For supporting a private Sigstore deployment, I agree that long-term, providing a trusted root file seems like a good solution. Short term, can we make the TUF repository configurable...
> Set _Deployment branches and tags_ to _Protected branches only_ Note that this is something I've not used myself so I don't know 100% how this works: I assume it...
There's indeed a few wrinkles here: * Astonishingly creating a new branch is not covered by Branch protection (so while maintainers cannot just push to protected `series/*` branches as they...
> no self-review Final wrinkle: this is not available via Pulumi (so even if we added support for deployment environments to sigstore/github-sync, we could not set that boolean argument via...
Update on GitHub environment situation: Pulumi now supports the _no self-review_ option for environments ### Plan Our release environment should * contain a reviewer list * prevent self reviews *...
From #779: > This will unify the current rats nest of flags for configuring custom Sigstore behavior: we'll be able to deprecate and eventually remove --rekor-url, --rekor-root-pubkey, --fulcio-url, --ctfe, and...
Some notes after a bit of thinking: * We have essentially three cases (only first one is implemented today) * default: trustroot comes from TUF * offline: trustroot comes from...
I'll take this. Plan is: * Move all of the parsing and sanity checking into a class derived from sigstore_protobuf_specs TrustedRoot * this class has multiple constructors: ``` def from_file(path:...