cosign
cosign copied to clipboard
Published
20 hours ago •
sigstore
sigstore
Add OIDC token verification to GitHub provider.
trafficstars
The GitHub provider somewhat blindly requests tokens from the GitHub provider and returns them to the application. The provider should probably do some verification on the token to make sure it contains what is expected.
Some data that could be verified:
- audience
- issuer
- expiry
- signature
