cosign icon indicating copy to clipboard operation
cosign copied to clipboard

Published 20 hours ago verified publisher icon sigstore

TUF: GetRekorPubs should be used in CheckOpts, like Fulcio CheckOpts.Roots

Open asraa opened this issue 3 years ago • 2 comments

Description

This will require a change to upstream sigstore/sigstore and then we can call the function to get rekor pubs from sigstore's root.

cc @imjasonh @haydentherapper

asraa avatar Jun 10 '22 14:06 asraa

Having a method to determine the correct Rekor pubs sounds generally useful outside of cosign. Can we add this to sigstore/sigstore and just call it from cosign?

Or, if we need to have a method in cosign to do it, can we make it unexported or in an internal package, so folks are steered toward the sigstore/sigstore equivalent?

imjasonh avatar Jun 10 '22 16:06 imjasonh

Having a method to determine the correct Rekor pubs sounds generally useful outside of cosign. Can we add this to sigstore/sigstore and just call it from cosign?

That's the plan

asraa avatar Jun 10 '22 16:06 asraa