cosign
cosign copied to clipboard
sigstore
Code signing and transparency for containers and binaries
**Description** The sigstore/sigstore TUF client has been updated to support the ["TSA" usage type](https://github.com/sigstore/sigstore/blob/364b1acc28de3ea95178e82d0b365036d60c6eb1/pkg/tuf/usage_type.go#L29). We currently require the TSA cert chain to be [provided by flag](https://github.com/sigstore/cosign/blob/main/cmd/cosign/cli/verify/verify_blob.go#L118-L141). We can also support...
**Description** Tracking issue for the using the new Sigstore TUF client, https://github.com/sigstore/sigstore-go/blob/main/pkg/tuf/client.go. This client adds support for using the new trusted root metadata and improves caching logic. This removes support...
**Description** In trying to assess the current activity and support of the cosign project, it appears the [CODEOWNERS.md](https://github.com/sigstore/cosign/blob/main/CODEOWNERS) file may be out of date. As i understand it, this doesn't...
#### Summary Integrate https://github.com/sigstore/sigstore/pull/1595 into cosign, allowing sign-blob/verify-blob commmands to use ED25519ph as necessary. This needs both https://github.com/sigstore/rekor/pull/1959 and https://github.com/sigstore/rekor/pull/1945 How I tested this: ```shell # regular ecdsa + sha256...
**Description** The V2 API is cleaner, and we would like to move towards deprecation of the V1 API. Need to complete https://github.com/sigstore/cosign/pull/1762, which was blocked on testing at the time
**Description** This is continuation of the work started in #3462 but with `cosign sign` instead of `cosign verify`. All the rationale applies - the goal is to allow to run...
Per my understanding, the use of SBOMs was deprecated and should be replaced by attestations. However, the verification of multiarch image attestations can be highly misleading for the end user....
Running `cosign attest ` (almost) concurrently can have the side effect that attestations written to the container registry previously are overridden by later invocations: 1. `cosign attest` no 1 reads...
#### Summary Give the user the option to choose which signing algorithm to use when generating keypairs (#3271). Code based on https://github.com/sigstore/cosign/pull/3479 . #### Release Note #### Documentation
**Description** I'm trying to copy images from a third-party registry to our private ECR, but keep getting hung up on errors like the following ```shell $ cosign copy $SRC_IMAGE $DEST_IMAGE...
