Jussi Kukkonen
Jussi Kukkonen
In #2193 the client example gains Trust-On-First-Use (TOFU) functionality and support for arbitrary repositories. This is very useful for testing but has two issues: * we should also be an...
`Signer`, `Signature` (and in future maybe most of `Key`) are really part of the Metadata API but are technically implemented in securesystemslib. We should either include those in the python-tuf...
From https://github.com/theupdateframework/python-tuf/actions/runs/3249189713/jobs/5331305228 A test file import fails on windows at `from securesystemslib.signer import Signature, SSlibSigner` (flaky). This is likely https://github.com/secure-systems-lab/securesystemslib/issues/428. ``` ERROR: test_api (unittest.loader._FailedTest) ---------------------------------------------------------------------- ImportError: Failed to import test...
Intoto seems to produce non-compliant metadata when signing with GPG. See https://github.com/in-toto/in-toto/blob/cb562165b2f62d1fabc80b0b5fdcf212df8fd3d6/tests/demo_files_gpg/write-code.8288ef56.link: ``` "signatures": [ { "keyid": "8288ef560ed3795f9df2c0db56193089b285da58", "other_headers": "04000108001d1621048288ef560ed3795f9df2c0db56193089b285da5805025a25a335", "signature": "bc8db9988d722ccc2e34165be012488effec5f73be29d2db4f860154d90b58247ed8a589d13fc11b6301939e926353ecc0484ac14d55183e7c89ca90b315e9399103dcf7a41748f3ee4c55d114ac49fc32bc0f0a512e5324431eff2325555b24d4ae0426aba9cd0c5509ca14c1db2205da1d9ff7a50b1a5219f6fade5d4cd547552344191103d9511971b2e2cca7aa028fe5b3218c6ee3fa5beac94e67602fdd548e554b4bc42fedda42aa5e634b6805e4982ee0ae3c8b91515c61590e2fdce1e02b977e52913fd49e9c3e6c41f1a9eed80669fbb4a60d54cc70a77ada294e0bbe4c28c10312bb00754be626696abbf1b10c7d6ac952b591637f45a20ec26e8f" } ], ``` compare to the spec https://github.com/in-toto/docs/blob/master/in-toto-spec.md#42-file-formats-general-principles...
It looks like the embedded TUF root metadata that cosign uses comes from this repository: https://github.com/sigstore/sigstore/blob/main/pkg/tuf/repository/root.json (I'm not super familiar with Go or this code base so please correct if...
**Description** Currently cosign user-agent when downloading TUF metadata is `Go-http-client/2.0,gzip`. It would be helpful if it had more details, something like `cosign/2.0.2 go-tuf/0.5.2 Go-http-client/2.0` -- or whatever combination makes sense...
[reusable-release.yml](https://github.com/sigstore/sigstore/blob/main/.github/workflows/reusable-release.yml) defines a workflow with inputs `key_ring` and `key_name`. These inputs are not actually used in the workflow: the values are instead hardocded to "release-cosign" and "cosign" respectively. I think...
sigstore-conformance 0.11 supports testing against staging infrastructure. This requires two things: * Support the optional `--staging` in all commands of the conformance client `tests/conformance/conformance.rs` , see [CLI protocol](https://github.com/sigstore/sigstore-conformance/blob/main/docs/cli_protocol.md) * Add...
PyPI releases currently happen based on GitHub release. GitHub releases can be made from unreviewed commits in unprotected branches by just a single maintainer (see #893). A possible improvement is...
The conformance test GitHub action now supports testing against Sigstore staging infrastructure. Testing against staging is beneficial because when infrastructures changes, it happens first in staging: finding out ASAP is...