cosign
cosign copied to clipboard
sigstore
Move the transparency log feature out of experimental
Some things I want to figure out first:
How should this be configured? Opt in vs. opt out?
Proposal: Upload send by default for public images (where we can tell), but opt-in for private images.
How should verification be configured?
Is it a failure to verify if the signature is not present? Should we check by default?
Proposal: Check by default for a public image., but warn if the signature is not present, but still pass. Opt-in check for private images. If the opt-in flag is passed for public or private, fail if the signature is not present.
I think we're close here with offline bundling. We'll still want to be careful about adding entries to the log, but verification can happen if there's a bundle, whether or not we're in experimental.
@dlorenc is this issue still valid or should we close it out? It was added to the GA plan (unclear as to why), so I wanted to verify before taking it off the plan of record.
So this basically means that we will remove the "experimental" env var requirement from cosign once Rekor/Fulcio are stable. Think it makes sense as a GA requirement since GA assumes the services are reliable not experimental.
This issue is stale because it has been open 60 days with no activity. Remove stale label or comment or this will be closed in 5 days.
![github-actions[bot] avatar](https://avatars.githubusercontent.com/in/15368?v=4 "Published by a pub.dev verified publisher"){kind=small}
I feel like this is covered between https://github.com/sigstore/cosign/pull/2387 and https://github.com/sigstore/cosign/issues/2376 🤷
