Jussi Kukkonen
Jussi Kukkonen
Jut making sure I wasn't too wishy washy in my original comment: * I think this is not just an enhancement but a real bug: go-tuf seems broken for users...
I guess one issue is how hard it is to jump from _"this project uses gh-action-sigstore-python"_ to _"I can verify this signature locally with `sigstore verify github --repository xyz --name...
Some features I would like to see -- note that it's very likely that all of these cannot be achieved at once in a single project so consider this a...
I would like to keep this proposal as the minimal one: the last time this discussion happened the result was TAP 12 -- it's a fine TAP but it seems...
I'm making this a draft again: I made a quick test to try how far the signing on github goes but fulcio does not seem to like the identity token...
> I'm making this a draft again: I made a quick test to try how far the signing on github goes but fulcio does not seem to like the identity...
Latest commit makes it clear that identity claim comes from the OIDC JWT. Let me know if you feel strongly about the solution here: I can make identity_claim a method...
FYI in case you'd rather see a more complete picture: * https://github.com/jku/sigstore-rs/tree/token-add-issuer-claim contains the second part of this, exposing the "ultimate issuer" in IdentityToken. * https://github.com/jku/sigstore-rs/tree/merge-merge-merge contains all PRs I...
> There is still work to do here but I will be out for a couple of weeks so it might be worth getting some eyes on in the meantime....
> Sigstore-go provides a way to check for a trusted root and automatically use it if available, but can also fetch individual targets as needed if the provided TUF mirror...