Luiz Carvalho
Luiz Carvalho
I really like the idea of moving towards a policy-based approach because of the flexibility it adds. Sigstore could even provide a set of canned policies (or policy templates) for...
+1! In case someone comes across this issue, this is a request to **add** support for the `when` attribute for the items in the `matrix.includes` list.
This is probably not something that should be handled at the Chains level. See https://github.com/tektoncd/pipeline/pull/6127.
+1 to adding something to the docs!
@mtcolman, unfortunately Chains doesn't have any controls for key rotation. It does load the signing key each time it needs it, so it should pick up updates without having to...
> so if we rotate the key ourselves in Vault, chains will pick up the new key when it starts a new pipelineRun? I believe so. To be clear, Chains...
sha1 is probably not ok. The remaining support for that is basically to support git commit IDs. sha256 and sha512 both work. I'm not seeing any recommendation from SLSA Provenance...
Is there agreement that this should go into sigstore-go from the start? My only concern is that it doesn't look like cosign currently uses signstore-go. I'd be hesitant to add...
@querti, last time I checked, there isn't a lot of guidance on what to do with [Image Indexes](https://github.com/opencontainers/image-spec/blob/main/image-index.md), aka multi-arch images. I've explored this in the past and one of...
/retest