Fredrik Skogman

Thanks for filing this issue ❤ Actually I think it works as expected, but there are a some improvements we can do here from our side, both on the documentation...

Yes, there are some options to chose from (different extensions). One of the reason to *not* trust the value in the extension in your example is that the identity of...

I believe this is due to an older version of `gh` being used. See below for my local attempt: ```shell $ gh attestation verify pihole-FTL-amd64 --owner pi-hole --bundle ./pi-hole-FTL-attestation-793098.sigstore.json Loaded...

Can you share the tuf `targets.json` config? It seems you are missing the metadata for `ctlog-pubkey`? Looking at Sigstore's metadata, it looks like this: ```json ... "ctfe.pub": { "length": 177,...

@haydentherapper ah, got it. I'm not very familiar with the scaffolding project and how the TUF repository is configured.

@haydentherapper the overall agreement was to add a new file to *not* break anything for the existing clients. It's listed here: (third bullet point: `SigningConfig URLs from TUF`) > New...

What I remember is that we should only ship `trusted_root.json` and `signing_config.json`. A client may combine them to use if needed. We avoided to ship the `ClientTrustConfig` as it would...

Yes, I'll fix that.

@asraa I'm trying to understand what the real work needed are. With the current tooling we can: 1. Update the expiration. By running `add-delegation` the expiration is updated for the...

Yes, changing the key is something I don't think can be done today, but we have ~1y to figure that out 😄 I should maybe clarify what I meant, for...