Priya Wadhwa

> I'd vote this get covered as an API improvement in v2 sgtm! i'd initially done it this way to avoid the breaking change of switching to an array, but...

Interesting idea! Personally I prefer the `rekor.sigstore.dev` URL so that people can easily know which tlog the entry is in.

I'd prefer the provenance be as correct as possible based on the spec. If we can correctly set `configSource` we shouldn't need `buildConfig` anymore!

> That makes sense to me as long as we still record the param values provided by taskrun/pipeline run in the invocation.parameters section. SGTM. Re the Cloud Build example, my...

> We can start with an env var for trusting a TSA root CA, Yep +1, this follows the current pattern we have in cosign. We can stick with RFC3161...

Yep this ticket is only meant to cover that first point, adding support in cosign for using a TSA instead of Rekor, and we can definitely start with the OCI...

sgtm, will close!

Yep I believe so

Yep!

/remove-lifecycle stale