Riccardo Schirone

The signature part is not done though.

> Check package hashes to ensure if the download was proper Works with v0.1.0

Hi @tanishqdiwan111 ! I think that error is due to the number of calls you are making to OpenAI. Does the error always happen? Did you try after a bit...

I guess I can be added as well, to help with maintenance. cc @artemdinaburg

```json { "mediaType": "application/vnd.dev.sigstore.bundle+json;version=0.2", "verificationMaterial": { ... }, "messageSignature": { "messageDigest": { "algorithm": "SHA2_256", "digest": "Xd/81x5QNKXw3pdWCvhoA2H4aS7Yd9F8hxlfyUtUVwg=" }, "signature": "MEQCIEeH9Ktf5pkHgdksH7mJCm4Jl66LemacsZHQ0VLKpgPOAiBsSM+neKdZE3l3AhxII1RuQOSKEk+TZRCspMjhvPxB0g==" } } ``` @tetsuo-cpp are you talking about the signature algorithm...

cc @woodruffw I think similarly to rekor, we want to limit the flexibility to the regular "hashedrekord" types, which I'm not sure include dsse_envelope. If that's the case, for dsse_envelope...

Working on this again, here's the plan for adding support for different signing algorithms: - [ ] extend `VerifierConfig` https://github.com/sigstore/sigstore-go/blob/0e5547e3d6cdfc0d14e4130a900f72fa51cbca30/pkg/verify/signed_entity.go#L42 to include `LoadOption`s, so that `verify.NewSignedEntityVerifier` can be called with...

> Then in getSignatureVerifer that you linked above, when calling tm.PublicKeyVerifier(pk.Hint()), the already initialized verifer can be returned. Sounds good to me! > For the other scenario (using certificate), the...

> > Actually, I think SignatureAlgorithm as suggested in the TODO is wrong. > > Yes, you are right. The comment should mention the to use the public key algorithm....

> If the bundle is signed with a certificate there would be no public key hint available, that is used only when the "raw" keys are used as there are...