Marco Franssen

What you did should work. https://github.com/tcardonne/docker-github-runner/blob/21400f71b894946de9b75127ba0353807cde1135/docker/entrypoint.sh#L36

Can confirm the same. ## Following works: Downloading the signature ✅ ```shell $ cosign download signature ghcr.io/philips-labs/slsa-provenance:v0.7.2 {"Base64Signature":"MEUCIQCXfQeeQE77CdZkKVaBZa474eTIZR4uUQHoQ+W/2+uatgIgXKty8HA9NYzK40rYoQ1ebs1yrECUnp/BmLNsp9oMUPw=","Payload":"eyJjcml0aWNhbCI6eyJpZGVudGl0eSI6eyJkb2NrZXItcmVmZXJlbmNlIjoiZ2hjci5pby9waGlsaXBzLWxhYnMvc2xzYS1wcm92ZW5hbmNlIn0sImltYWdlIjp7ImRvY2tlci1tYW5pZmVzdC1kaWdlc3QiOiJzaGEyNTY6ZTMzNzhhZWYyMzgyMWZkNmUyMTAyMjllNWI5OGI1YmVhZDI4NTg1ODFiMmQ1OTBkOWUzYjQ5ZDUzYzNmNzFlNyJ9LCJ0eXBlIjoiY29zaWduIGNvbnRhaW5lciBpbWFnZSBzaWduYXR1cmUifSwib3B0aW9uYWwiOm51bGx9","Cert":null,"Chain":null,"Bundle":null} ``` Downloading the attestations ✅ both the sbom and build provenance are...

@hectorj2f you are right. Using the `cosign attach sbom` command I can download the sbom. Now just a bit confused on when to use `cosign attest` vs `cosign attach` when...

Nope I don't. I actually do realize mostly the workaround is to go via VPN which does not require mTLS in our case. I do realize now not many CLIs...

Found this: https://smallstep.com/hello-mtls/doc/client/curl Might be a lead on how this could be supported.

Also found here a tutorial walking through an implementation. Would be happy to contribute, we just need to agree on a way to pass the `client cert/ca` for the mTLS...

On Docker Hub it does even work without the `COSIGN_DOCKER_MEDIA_TYPES=1`. For artifactory the `COSIGN_DOCKER_MEDIA_TYPES=1` makes it possible to store the signatures, but it doesn't allow to upload the blobs. Might...

> 👍 There are a lot of testing benefits to this as well Would indeed be great if the `os.Stdout` and `os.Stderr` in `pkg` could be replaced with an injected...

What is the state of this? I also got warnings in my workflow. Pointing to https://github.blog/changelog/2022-09-22-github-actions-all-actions-will-begin-running-on-node16-instead-of-node12/ Also happy to open a new PR to get this resolved. Please let me...

@dmitshur do you have any clue? Or any lead where to continue.