Jussi Kukkonen
Jussi Kukkonen
> You can have OIDC in pull request, but not pull request from forks right ? This is a minor detail since roughly everyone is interested in the case of...
was this meant for the spec repo? I think what happened was that the first quote and the second quote were worked on at the same time in separate PRs......
> I'm not familiar enought with toolchain to say if just using rustup is a decent replacement? Looks like plain rustup would work. We may still want to add something...
> There's also https://github.com/dtolnay/rust-toolchain which is gained popularity. Yes, I considered a couple of alternatives but at least so far I've not found much reason to not just "do it...
the errors are not quite the same now: `Verification failed Base64DecodeError(InvalidByte(0, 45))` I'll have a look at the code but the differences I can see in the data are: *...
Verified in code: there are two differences that would need to be handled to make verify-blob work with data from sigstore-python: * trim the signature -- this seems reasonable *...
I will make an attempt at fixing this, I think it looks like something the CLI layer can take care of.
possibly in the streaming case only the connection establishment uses retries and the actual streaming does not?
Verify issue is fixed in https://github.com/sigstore/cosign/pull/4162 We may have to use cosign from git (or work around by making sure rekor log index is > 0).
* Let's consider what the provided API is here: in this PR the API is clearly the action... but that feels a bit incompatible with local use case that I...