Jussi Kukkonen

Okay I have the internal refactor done... but I'm not sure how to correctly add the --trusted-root flag: * I should choose the rekor_url value based on data from trusted...

> I should choose the rekor_url value based on data from trusted root: can I assume all values in tlogs array in the trusted root have the same baseURL? Maybe...

I think we agree on everything here. * I'll make a refactoring PR #844 * I'll make an issue about refactoring KeyRing/RekorClient (#845) * this issue (adding --trusted-root) can be...

> `charset-normalizer==3.2.0` (impure) charset-normalizer has a universal wheel too

> `multidict==6.0.4` (impure) Multidict claims that _the library has optional C Extensions for speed_. There's no universal wheel though, this will need a closer look.

Documenting the native code requirements is a very good idea, but for the end goal we'll also want to look at the dependency tree as a whole: if the subset...

> > `multidict==6.0.4` (impure) > > Multidict claims that _the library has optional C Extensions for speed_. There's no universal wheel though, this will need a closer look. This looks...

> xref https://github.com/sigstore/fulcio/issues/1131 for original motivating context. Could you expand on this and the use case in general -- I assume you want to create attestations over the same content...

>> Will this be based on https://github.com/secure-systems-lab/dsse/pull/61? (Apologies if I should have know that already, the change is spread out across a number of places) > > ... > >...

> For verification, I'm realizing that VerificationMaterials will also need to be removed, similar to how we removed SigningResult. Everything will just take a Bundle instead. FWIW that matches 100%...