cosign
cosign copied to clipboard
sigstore
Code signing and transparency for containers and binaries
cosign has a flag `--allow-insecure-registry` that set `InsecureSkipVerify=true` on in the underlying `tls` config. We would like to have another option that set the scheme to `http` the same ways...
#### Summary This adds to ability to unmarshal xml-formatted CycloneDX SBOMs and add them as attestation payloads. Previous it was a little ambiguous as to which file format was expected...
#### Summary cosign depends on mongo via `github.com/go-openapi/strfmt` mongo has retracted v0.10.0 due to a possible data corruption bug (that I don't believe affects cosign in any way at all),...
#### Summary #1905 #### Release Note fix: allow signing of images that don't exist #### Documentation cc @imjasonh
**Description** I have described how we are trying to use Cosign [here](https://github.com/sigstore/cosign/issues/1554#issuecomment-1256109541), but in short, we provision identity certificates to all services and want to use those for signing and...
**Description** @vaikas mentioned to me that cosign commands occasionally fail due to an unexpected error either from the network or Sigstore backends. These errors typically will come at the very...
**Description** When generating SLSA provenance for multiple images, we may want to generate the predicate header with subject digests for all supplied containers and attach each one.
``` $ cosign attach -h Provides utilities for attaching artifacts to other artifacts in a registry Usage: cosign attach [command] Available Commands: attestation Attach attestation to the supplied container image...
**Description** Minimal reproduce: * Set the `$BUILDPLATFORM` env to `arm/v7`. Happy-path test case: ``` FROM --platform=${BUILDPLATFORM} golang:1.16.3-alpine3.13 AS builder ``` * Unset the `$BUILDPLATFORM` env. Failing test case: ``` FROM...
**Description** `verify-blob` is now implemented in "cmd/cosign/cli/verify" package, but this is inconsistent with `verify`. The core functions of `verify` such as `VerifyImageSignature()` are implemented in "pkg/cosign", and it is easy...
