cosign
cosign copied to clipboard
sigstore
Code signing and transparency for containers and binaries
**Description** According to [IANA registered](https://www.iana.org/assignments/media-types/application/spdx+json ), the mediatype for spdx JSON documents should be `application/spdx+json` Currently, it is set to "text/spdx+json" in - https://github.com/sigstore/cosign/blob/493e6e29e2ac830aaf05ec210b36d0a5a60c3b32/pkg/types/media.go#L30 - https://github.com/sigstore/cosign/blob/493e6e29e2ac830aaf05ec210b36d0a5a60c3b32/specs/SBOM_SPEC.md?plain=1#L122 **Version** head
**Description** Currently, when verifying a container, you get a message saying what items were verified followed by a non-human readable string of text. When you verify a blob, you get...
#### Summary This PR fixes the bugs while attaching the `rekor-bundle` into an image. Closes #3458 #### Release Note Bug fixes and fixes of previous known issues #### Documentation -...
## Background Sigstore created a common format in [sigstore/protobuf-specs](https://github.com/sigstore/protobuf-specs/blob/main/protos/sigstore_bundle.proto) for the output from Sigstore clients. sigstore-python, sigstore-java and sigstore-js currently support the bundle format. Golang currently does not support the...
Currently cosign verify images from remote registries. We work in airgapped network where internet connection or connection to registry is not possible. The images are uploaded to system via tarball...
This issue is meant to capture what integrations between cosign/keyless signatures/rekor and RPMs are desired by the community. Some of these may eventually become enhancement requests either in this repo...
**Description** It seems that the OIDC client secret is not taken into account when Cosign is using device flow. ```bash ./cosign-linux-amd64 -d sign docker.redacted.com/testimage:latest \ --oidc-client-id='sigstore' \ --oidc-issuer='https://keycloak.redacted.com/realms/testrealm' \ --fulcio-url='http://fulcio.redacted.com/'...
**Description** ``` $docker login Authenticating with existing credentials... Login Succeeded Logging in with your password grants your terminal complete access to your account. For better security, log in with a...
**Description** Basically when we sign the Image using `Cosign` signing tool, then by default, it adds the `rekor-bundle` to an image in form of annotation as a value of a...
**Description** We added a new predicate [type](https://github.com/in-toto/attestation/blob/main/spec/predicates/vuln.md) in in-toto for vulnerability attestations inspired on the initial predicate type defined in cosign for vulnerabilities.
