laurentsimon
laurentsimon
> application/octet-stream Our use case is model signing for multiple files in folder, so would be something like `application/vnd.ai-model-manifest+json` or maybe more generic `application/vnd.path-manifest+json` @mihaimaruseac to comment
Thanks all. For model signing, it will be json format. > CC @haydentherapper: do you know if Rekor would accept these? I seem to recall there being a requirement that...
We had an offline chat with @haydentherapper and @mihaimaruseac to brainstorm. What came out is that Sigstore would like to _not_ be in the business of litigating addition of new...
/cc @susperius
@haydentherapper can you explain why rekor needs to be aware of the hash type used in intoto subject? Why is the hash type used for DSSE signing not enough? I...
Was discussed in https://github.com/sigstore/sigstore-python/issues/1018
Super excited about this feature! For mock repo client, maybe https://github.com/ossf/scorecard/blob/main/checks/raw/branch_protection_test.go#L259-L284 can help?
We may check for the presence of the .gitignore file and check sensitive files like private keys formats and other are listed. Besides password/private key files, we can also add...
Note that [Github's scanning](https://docs.github.com/en/code-security/secret-security/about-secret-scanning) is enabled by default for public repos.
There's also https://github.blog/2022-12-15-leaked-a-secret-check-your-github-alerts-for-free/, which shows a setting we could use.