Ramon Petgrave

Closing due to inactivity.

Since it's only the npm ecosystem that needs the customization, I think I prefer option 2. It seems like it would need the least amount of potentially disruptive changes.

Thanks for reporting this. It seems like a go-style initialism that we've mistakenly enforced. I'm a bit surprised we're not seeing compatibility errors between the generators and slsa-verifier. I'd like...

Lots of folks are using older versions of the generic generator, so it could be wiser for you to maintain backwards compatibility for preexisting provenances. But first, is the new...

Another great thing to have is the ability to attest to scorecard results over a time period, or to verify that certain checks were not violated in previous x months...

@mozillazg We have a draft PR adding plugin support for KMSs. https://github.com/sigstore/sigstore/pull/1901 We're going to next experiment with converting the existing GCP support into a plugin. If you have time,...

> @ramonpetgrave64 During plugin development ([code](https://github.com/mozillazg/sigstore/blob/alibaba-plugin/cmd/sigstore-kms-alibabakms/main.go)) , I found: > > * `./cosign generate-key-pair --kms alibabakms://xxx` can work as expected. > > * However, the following commands result in a...

@mozillazg We've just merged what I think should be the last PR for the cliplugin system. All methods are now implemented, so please take another look. Here's an example I...

While we wait for this to get picked up, I’ve been downloading the artifacts with `artifact-id` and `actions/github-script@v7` after `npm install @actions/[email protected]`. ``` … jobs: build-low-perms: outputs: build-artifact-id: ${{ steps.upload-artifact.outputs.artifact-id...

The keys in the TUF root has been rotated and now include an end date. - https://github.com/sigstore/root-signing/commit/6625c6505857c992f62ee6a55353f15b36b023d7 Newer attestations seem to be using the new key, and the older slsa-verifier...