Luiz Carvalho

@ChrisJBurns, > Also, I just want to double check that is it right that Kaniko pushes an image to Harbor first (that is unsigned), Chains then takes over and retrieves...

/lgtm

@concaf, is this something you're still looking into? If not, I can give it a shot

I filed a PR for enabling this: https://github.com/tektoncd/plumbing/pull/1055 Once that's approved, merged, and verified to be working, I'll create a PR against this repo (tektoncd/chains) to add relevant documentation. :crossed_fingers:

This should be all set now. There were multiple related PRs: - https://github.com/tektoncd/plumbing/pull/1055 - https://github.com/tektoncd/plumbing/pull/1064 - https://github.com/tektoncd/plumbing/pull/1072 - https://github.com/tektoncd/chains/pull/422 - https://github.com/tektoncd/chains/pull/427 @priyawadhwa, @afrittoli, can we close this?

If you're using pytest, you can drop this in [conftest.py](https://docs.pytest.org/en/latest/reference/fixtures.html?#conftest-py-sharing-fixtures-across-multiple-files): ```python @pytest.fixture(scope='session', autouse=True) def patch_retry(): with mock.patch.object(retry.api.time, 'sleep'): yield ```

``` $ cosign version ____ ___ ____ ___ ____ _ _ / ___| / _ \ / ___| |_ _| / ___| | \ | | | | | |...

Perhaps a new `--output` format would be a good solution for correlating results/errors with image references: ``` $ cosign verify --output=json-report ... registry.com/foo:latest registry.com/bar:latest registry.com/spam:latest Error: no matching signatures: main.go:52:...

Based on the diff output in the description, it looks like the git tag may have been moved to accommodate https://github.com/sigstore/cosign/commit/a4cb262dc3d45a283a6a7513bb767a38a2d3f448

@jalseth, thanks for your reply! I think the proposal has a few advantages. It simplifies rule writing. As you demonstrated, the detection logic can be abstracted into another rule to...