cosign
cosign copied to clipboard
sigstore
Code signing and transparency for containers and binaries
**Description** I met this error when trying `cosign sign`. ``` $ COSIGN_PASSWORD="" ./cosign sign --upload=true --tlog-upload=false --certificate-chain staging_ca_bundle.pem --key import-cosign.key --cert cert --timestamp-server-url https://tsa.enforce.dev/api/v1/timestamp haskell@sha256:f33e8cb119fd5b436c39a3f45000bf732bce8e2ac71553ac5d307c10d01418ba Error: signing [haskell@sha256:f33e8cb119fd5b436c39a3f45000bf732bce8e2ac71553ac5d307c10d01418ba]: getting signer:...
**Description** While `cosign verify-blob` will accept a certificate and CA chain to verify against, it appears the signing command won't accept them. Feels reasonable to make these two commands symmetric.
**Description** Option to turn off the email verification check on the id token being returned by an oidc issuer. Another option may be to make some claim verifications configurable for...
**Description** See also https://github.blog/changelog/2023-01-10-github-actions-openid-connect-token-now-supports-more-claims-for-configuring-granular-cloud-access/ Recently, GitHub announced that OpenID Connect token supports more claims. - `actor_id` - `repository_id` - `repository_owner_id` - `workflow_ref` - `workflow_sha` - `job_workflow_sha` https://token.actions.githubusercontent.com/.well-known/openid-configuration It may be...
**Description** We would like there to be a relatively compact Go library that people can use for Sigstore bundle verification, instead of having to depend on all of sigstore/cosign. In...
Added in https://github.com/sigstore/cosign/issues/247 to support a use case like: ``` cosign verify \ --url https://raw.githubusercontent.com/image-publishing-org/project-repo/$RELEASE_TAG/cosign.pub \ gcr.io/image/to/verify:$RELEASE_TAG ``` This seems to get used in a few places: - Misc. places...
A user in Slack has a use case that looks like the following: 1. There's an upstream image we depend on (`alpine:latest`) with no signatures. 2. We want to verify...
**Problem** The current OIDC device flow prints out a URL to complete OIDC and then waits for the OIDC token. However, this is not compatible with how GitHub Actions logging...
**Description** We should verify the response from the timestamp authority when it's received, as per RFC 3161: ``` Upon receiving the response (which is or includes a TimeStampResp that normally...
There does not appear to be a quiet flag for `cosign` which means its not possible to silence extraneous output when using `cosign` in scripts, for example `cosign verify-blob` outputs...
