Jussi Kukkonen
Jussi Kukkonen
We should do what in-toto does: have the test runner output much more logging but only for failing tests. This should be especially useful for CI but also for developers....
client/python_interop uses the legacy python-tuf client code (the generate.py script also uses legacy repository_tool). python-tuf has recently removed the legacy code from git, and the next release will not contain...
It looks like the `ecdsa-sha2-nistp256` keytypes `keyval.public` value is incorrectly the hex encoded raw bytes of the key, instead of PEM. Spec says: > The ["ecdsa-sha2-nistp256"](https://theupdateframework.github.io/specification/latest/#keytype-ecdsa-sha2-nistp256) format is: > ```...
data/types.go sets the default specVersion value to "1.0". I think strictly speaking this is not compliant with the spec which states that "format follows semver". Semver says > version number...
This text has been modified a lot (see #209 for latest) but the [root update section of client workflow](https://theupdateframework.github.io/specification/latest/#update-root) is still difficult for new readers: > **5. Check for a...
There was an attempt to clarify `paths` vs `path_hash_prefixes` use in delegations (4.5) a few months ago but it looks like the result is still not quite finished: > The...
When the specification talks about consistent targets, it always refers to filenames. Here is _6.2.1. Writing consistent snapshots_: > consistent target files should be written to non-volatile storage as digest.filename.ext...
The "official" Alpine container rootfs's have their root password locked in /etc/shadow (see https://git.alpinelinux.org/aports/tree/scripts/genrootfs.sh#n44). I think that might be a reasonable choice for alpine-make-rootfs as well: this is one of...
This is a discussion starter for #157 #### Summary It is currently not possible to use sigstore-python to verify the signatures made with a GitHub Actions certificate -- or rather...
It would be very useful if it was possible to verify the GitHub specific claims in the certificate that we produce when using GitHub Actions. This is because the claims...