cosign
cosign copied to clipboard
sigstore
Code signing and transparency for containers and binaries
**Description** In the same vein as https://github.com/sigstore/cosign/issues/2691, it'd be ideal to not require users enter the exact issuer string. We could provide a mapping between common providers (Google, GitHub, Microsoft...
**Description** From conversation with @haydentherapper, as a follow-on to #2796 / #2797, this is a longer-term placeholder to follow up on whether to further revise / expand the privacy statement...
**Description** With cosign 2, when verifying a signature in the transparency logs, an OIDC issuer and subject must be matched, but there's very little guidance as to what the options...
**Description** currently cosing assumes that the transit secret engine will be mounted at the `transit` path all of the times. This is not the case for Vault. The mount path...
Dear maintainers, We've developed an SGX-based Cloud KMS (called as eHSM), eHSM is a cloud service to provide functionalities to manage keys and secrets by fully leveraging Intel SGX capability....
See [Proposal: Cosign Versioning](https://docs.google.com/document/d/1urWUPhtzXKWqL9CoaEw4Z35v5IDl9yrTRQ40XlYekOo/edit#) and https://github.com/sigstore/cosign/discussions/2365
You should be able to `cosign copy` an image and its {signatures,attestations,etc.} *first* to disk, *then* to another repository. (Example use case: copying across an air-gap.) This might also look...
#### Summary Copy the handling of non-Fulcio keys from the `verify` to all the other verify commands (`verify-attestation`, `verify-blob`, `verify-blob-attestations`). Currently the large code snippets for the `if keylessVerification(c.KeyRef, c.Sk)...
#### Summary Factor out the code loading certificates for keyless verification (from a certificate chain, provided roots / intermediate or from Fulcio) into a helper function `loadCertsKeylessVerification`. This reduces the...
#### Summary This pull requests addresses the first part of #3139: adding protobuf bundle support for `cosign sign-blob` and `cosign attest-blob`. You can test this by generating the new bundles,...
