laurentsimon
laurentsimon
We should also consider resolving https://github.com/google/model-transparency/pull/64#discussion_r1378198940, which suggests reformatting some of the tests.
We implemented a simple tree-like serialization routine in https://github.com/google/model-transparency/blob/main/model_signing/serialize.py. Other possibilities: - [ ] go.sum uses dirhash https://github.com/golang/mod/blob/master/sumdb/dirhash/hash.go, which lists files instead. `sha256sum $(find . -type f | sort) |...
See comment https://github.com/sigstore/model-transparency/blob/main/model_signing/model.py#L48) We need to provide a verbose parameter. When verbose is disabled, errors will be generic and not leak information (paths, etc). We also need to expose this...
We may want to: 1. Support hashing for GPU 2. Have an API that allows passing in a custom hash engine. Callers can take advantage of their own hardware to...
Our current code signs / serializes folders using a custom hash built using sha256. It works well but has 3 disadvantages: 1. We need to update rekor hash support (very...
The API should support custom roots. For Fulcio and Rekor, we need 1. tuf root 2. a URL to update the root (if not already present in the tuf root...
Windows, Linux with signing on one platform and verifying on another
Workflows that use labels to enforce reviews before running test on pull_request_targets checkout the repo with `ref: ${{github.event.pull_request.head.sha}}`. One mistake some developers make is use `ref: ${{github.event.pull_request.head.ref}}` instead, which is...
Explicit branch name ```yaml pull_request_target: branches: [ "main" ] ``` should be detected by scorecard. Reasoning: Local branches containing the same workflow cannot be exploited or triggered. For example: imagine...