cosign
cosign copied to clipboard
sigstore
Code signing and transparency for containers and binaries
**Description** I want to be able to clean all signatures off of a signed image, but `cosign clean` fails. **Steps to Reproduce:** Start with a signed image that has been...
**Description** We were having trouble upgrading to latest cosign because our license checks were failing here: https://github.com/sigstore/policy-controller/pull/236 Looks like there's a mismatch between what's being checked in cosign and in...
e.g. `cosign dockerfile resolve` As part of fixing https://github.com/sigstore/cosign/issues/648, we should create a surface which resolves _mutable_ image tags into _immutable_ image digests. Ideally it would be able to both...
**Description** Today `cosign verify-dockerfile` is dangerous because it verifies and allows `FROM image:tag` vs. `FROM image@sha256:deadbeef`. This is dangerous because even if what's currently tagged on the registry is signed...
We should document how rekor can be used to detect and recover from a compromised account or key.
**Description** This is not specific to cosign and but an issue across Sigstore. Run AllStar https://github.com/ossf/allstar across Sigstore to improve the security posture. https://twitter.com/infernosec/status/1437647160154071045
**Question** Why are the signatures OCI Images rather than OCI Artifacts? I've been poking through the docs and website for a while, but couldn't track down an answer, or even...
**Question** While I was looking at the #809 thought about how we might want to handle ephemeral containers. Just wanted to jot this down and see what folks thought about...
**Description** Currently the `cyclonedx` option for for the `cosign attest --type` flag expects to receive a CycloneDX SBOM that is JSON formatted. This was a bit ambiguous, and for some...
**Description** This type allows full verification of the intoto entry. See https://github.com/sigstore/rekor/pull/973 We can migrate upload support to v0.0.2 and continue supporting v0.0.1 for verification. I can stage the PR...
