cosign
cosign copied to clipboard
sigstore
Code signing and transparency for containers and binaries
#### Summary The attach/download SBOM commands have been declared as deprecated long time ago. I believe it is a good time to cleanup these not recommended actions. #### Release Note...
**Description** In a Bring your Own PKI scenario, a user may want to specify a CRL file ( in addition to a fullchain file ) that can be used to...
This PR adds support for the new [Cosign Bundle Specification](https://github.com/sigstore/cosign/blob/main/specs/BUNDLE_SPEC.md) in `cosign verify-attestation`. This works in conjunction with https://github.com/sigstore/cosign/pull/3888 and is interoperable with GitHub Artifact Attestations. Related: https://github.com/sigstore/cosign/issues/3139 This is...
This PR adds support for the new [Cosign Bundle Specification](https://github.com/sigstore/cosign/blob/main/specs/BUNDLE_SPEC.md) in `cosign attest`. Related: https://github.com/sigstore/cosign/issues/3139 This is in draft for now pending: - [ ] TSA timestamp payload modified per...
## Migration of Public API in support of sigstore-go migration As we work toward [support of the TrustedRoot](https://github.com/sigstore/cosign/issues/3700) in the cosign verifier, I would like to take a moment to...
**Description** There are cases where using the public Sigstore deployment is not an option, e.g. privacy concerns. Some organizations may opt to provide their own Sigstore deployment. Verifiers must then...
Hi , I was trying out the `cosign verify --key cosign.pub $IMAGE:$TAG --insecure-ignore-tlog=true` it did the verification , but when i am passing inter1.crt , where `inter1.crt` is the certificate...
#### Summary Fixes #3880, allowing `dockerfile verify` to validate Dockerfiles where stage names are used in `FROM` statements #### Release Note * Fixed bug that made `dockerfile verify` fail when...
**Description** When a Dockerfile contains a `FROM` statement using a stage name instead of image, `dockerfile verify` fails because `cosign` tries to pull the stage name as if it was...
**Description** 1. [This unit test](https://github.com/sigstore/cosign/blob/780780b11e0998512c034317fd7e98776153e59d/pkg/cosign/ctlog_test.go#L33) does not use a temporary sandbox and therefore uses the user's existing TUF configuration, if it exists, as part of its test. 2. Other related...
