Patrick Flynn

While building Sigstore TUF clients it's necessary to parse the various resource types (Root, Snapshot, Target,..). Most languages have serialization tools that can do this automatically with the right OpenAPI...

Propose modifying cosign blob signing and verification to produce a single complete signature file to support simple signing and offline verification.

8

Details of this proposal available in this [Google Doc.](https://docs.google.com/document/d/1gucjOA_bGyRjK6TeaOI-X5GIUv8WsPzeMDMkq25Kv4Y/edit#heading=h.we5fqok7jai5) ### Summary The current `sign-blob` command and documentation steer the user towards producing two files (raw sig and cert) for each...

file output of --output-certificate is base64 encoded (badly?), but the decoded contents is just a b64 pem file.

6

When running ` COSIGN_EXPERIMENTAL=1 cosign sign-blob foo.bin --output-signature sig --output-certificate foo.pem` I found that the contents of foo.pem was: ``` ➜ signing-playground cat service.pem LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUNvekNDQWltZ0F3SUJBZ0lVYm94bjh0dnpHMkhvWVdpQlVnb2xwTmF3dHhrd0NnWUlLb1pJemowRUF3TXcKTnpFVk1CTUdBMVVFQ2hNTWMybG5jM1J2Y21VdVpHVjJNUjR3SEFZRFZRUURFeFZ6YVdkemRHOXlaUzFwYm5SbApjbTFsWkdsaGRHVXdIaGNOTWpJd05qRTNNVE14T0RRM1doY05Nakl3TmpFM01UTXlPRFEzV2pBQU1Ga3dFd1lICktvWkl6ajBDQVFZSUtvWkl6ajBEQVFjRFFnQUVJMnZza3RHS0lMbldVTjZDeTYyVlNFenFDcjkvSmNPc2g5M28KclVMa1NtZkZTRWxaTmhrRWJCVW5iRGpoOWxSTGxPeFNSUWRtTjdubEU4cGErVlI4MzZPQ0FVZ3dnZ0ZFTUE0RwpBMVVkRHdFQi93UUVBd0lIZ0RBVEJnTlZIU1VFRERBS0JnZ3JCZ0VGQlFjREF6QWRCZ05WSFE0RUZnUVU3cXdFCnJuOW1oYWIwdGJkSHZ2a1gyRVFQTXBVd0h3WURWUjBqQkJnd0ZvQVUzOVBwejFZa0VaYjVxTmpwS0ZXaXhpNFkKWkQ4d0pBWURWUjBSQVFIL0JCb3dHSUVXY0dGMGNtbGphMEJqYUdGcGJtZDFZWEprTG1SbGRqQXBCZ29yQmdFRQpBWU8vTUFFQkJCdG9kSFJ3Y3pvdkwyRmpZMjkxYm5SekxtZHZiMmRzWlM1amIyMHdnWXNHQ2lzR0FRUUIxbmtDCkJBSUVmUVI3QUhrQWR3QUlZSkx3S0ZML2FFWFIwV3NuaEp4Rlp4aXNGajNET05KdDVyd2lCalp2Y2dBQUFZRngKMFBESUFBQUVBd0JJTUVZQ0lRQ3RVTUtyU0lXT3B6U2ZHOU1iTGV3UFQycXlhS1g0bFFYa056ZmpQeDRzRHdJaApBTXpuQVlibVM0Tk43ZXpRM1JTby80ZXNzdlplVG13UkRnZjBVWlBRbmFaRE1Bb0dDQ3FHU000OUJBTURBMmdBCk1HVUNNSE45Nyt2R1BqQmxVSUQwbzliN2tmTEVSejc2YTBkcTVvVENDUVJHS0lpV0thTTJkczN5cHphQmh0ZmYKbTRqRFJ3SXhBT2JoOGtTM3dhL0VsdnY5VjJDenV6Nm9MNDlQcXpTQ0M3WG52TmNXVGFXdjE5UFFxZk9VTm1qSwoyRk54dzZMbDBBPT0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=% ``` running this through base64...

Cosign should retry Fulcio and Rekor RPCs

1

**Description** @vaikas mentioned to me that cosign commands occasionally fail due to an unexpected error either from the network or Sigstore backends. These errors typically will come at the very...

Investigate maintaining the rekor search index as a separate continuous job

4

(this idea came from @vaikas during the weekly on-call) **Description** Currently the rekor entry creation flow is responsible for calling Redis to include new entries in the index. Ideally the...

It would be really nice to have a collection of test data to test client conformance

6

Generating test data for TUF clients is time consuming and error prone. It could be really cool to have a test data set to exercise clients and certify that they're...

Ubuntu colorized prompt PS1 causes export command to be outputted at start of every shell

1

I'm a bit clueless when it comes to Bash/Linux so this is probably due to user error, but when I use the colorized ubuntu PS1 I see the following: `]0;export...

https://github.com/patflynn/kplay/blob/master/spring-boot-basic/pom.xml#L112 It looks like configuration.dockerfile is only for standard and is being ignored and my src/main/docker directory is being included instead. This is unexpected as the dockerfile property is scoped...

Deploying a Flex app doesn't show the progress indicator

3

With the latest Cloud SDK a '..' progress indicator is outputted to a single line. From IntelliJ and Maven the progress '.' are outputted all at once when the line...

WaitProcessOutputListener needs to be provided by the AppEngineDevServer implementation

5

related to #330 currently CloudSdk#637 hardcodes the value that triggers server startup complete event.