cosign
cosign copied to clipboard
sigstore
Code signing and transparency for containers and binaries
Related to [Sigstore clients should require a provided identity](https://docs.google.com/document/d/1o8_bXIygufgiohJGlmBzqF4_BnXCTfgh4ILgJFJxYRs/edit?resourcekey=0-YEar3v67uoT31kj83dCVvA). Right now, if you want to poke around at a signature/cert, the easiest way to do that is to run `cosign...
Today, I can `cosign sign` and include annotations, which end up in the signature: ``` COSIGN_EXPERIMENTAL=1 cosign sign gcr.io/imjasonh/test -a foo=bar ... COSIGN_EXPERIMENTAL=1 cosign verify gcr.io/imjasonh/test | jq { "critical":...
**Question** I was wandering if it would be possible to change the name of the pem and key files while creating them. Something like cosign generate-key-pair --name project-3
**Description** In Usage: https://github.com/sigstore/cosign/blob/main/KEYLESS.md#usage ``` $ COSIGN_EXPERIMENTAL=1 cosign verify gcr.io/dlorenc-vmtest2/demo The following checks were performed on all of these signatures: - The cosign claims were validated - The claims were...
**Description** Currently if you run cosign verify against a non existing image, against a not signed image, against a signed image with a different key, the exit status is the...
Options exist to work with insecure registries for _cosign sign_ (--allow-http-registry) and _cosign verify_ (--allow-insecure-registry). Please add a similar option to _cosign save_.
The artifacts uploaded by cross.yaml are not used anywhere. Moreover, the ability to build on all three platforms and use the resulting binary is already tested in e2e-with-binary.yml. This change...
Closes: #3577 #### Summary Adds a new spec doc which describes the scheme for publishing/retrieving Sigstore bundles to/from an OCI registry. [Rendered version](https://github.com/bdehamer/cosign/blob/bdehamer/bundle-spec/specs/BUNDLE_SPEC.md)
* Rewrite the shell scripts run in `e2e-secrets` and `e2e-tsa-mtls` as Go tests. - Since these tests were being run on macos and ubuntu runners, we still keep them separate...
Many of the Sigstore clients already have support for generating/verifying the [protobuf bundle](https://github.com/sigstore/protobuf-specs/blob/main/protos/sigstore_bundle.proto), but adding this support to tools like cosign and the [policy-controller](https://github.com/sigstore/policy-controller) requires that we standardize on an...