cosign
cosign copied to clipboard
sigstore
Code signing and transparency for containers and binaries
**Description** Based on the [Signature Spec](https://github.com/sigstore/cosign/blob/main/specs/SIGNATURE_SPEC.md#simple-signing) the `critical.identity.docker-reference` field is ignored. This field could be confusing copying images & signatures across different registries. Do you think would be useful to...
Fixes #1324 Signed-off-by: Bob Callaway #### Summary #### Ticket Link Fixes #### Release Note ```release-note ```
`COSIGN_EXPERIMENTAL` was introduced AFAICT for two reasons: 1. The Sigstore *idea*, *interface*, and *implementation* were still experimental 2. The Sigstore *infrastructure* wasn't reliable/didn't have guarantees. So to start, anything that...
Right now, the counter-signing demo has you sign an image, then sign the signature as follows: ```shell $ crane tag $(cosign triangulate dlorenc/demo) mysignature 2021/02/15 20:22:55 dlorenc/demo:mysignature: digest: sha256:71f70e5d29bde87f988740665257c35b1c6f52dafa20fab4ba16b3b1f4c6ba0e size:...
Hi! I am new to Harbor, there is a Dockerfile in the project repository. From this Dockerfile, I built a cosign image with the command: > docker build -t cosign:v1.0.0...
#### Summary - update workflow to use workload identity instead of key Before we merge this, we need to add the service account the permission for the workload identity, delete...
**Description** The reference types work is off and running now in OCI, and we should start to think through how we'll adopt it here in cosign. Assuming the work completes,...
**Description** Right now, all containers use offline verification by default, and only perform online verification as a fallback mechanism. This is because offline Rekor bundles are stored along in the...
Since https://github.com/sigstore/cosign/pull/1756 cosign issues a warning when using `cosign attach sbom` and `cosign download sbom`, heavily encouraging users to use `cosign attest` and `cosign download attestation` instead: ``` WARNING: Downloading...
**Description** I've validated that `cosign copy` works exactly as expected when copying from Azure ACR to registry v2 and Jfrog's JCR, however attempting to copy to 2 separate Harbor registries,...
