cosign
cosign copied to clipboard
sigstore
Code signing and transparency for containers and binaries
**Description** [`github.com/sigstore/cosign/cmd/cosign/cli/fulcio/fulcioroots`](https://pkg.go.dev/github.com/sigstore/cosign/cmd/cosign/cli/fulcio/fulcioroots) contains methods to get `x509.CertPool`s representing Fulcio's root and intermediates. To do this, it calls [`initRoots`](https://github.com/sigstore/cosign/blob/89b9e88d3e4b6f103cd3faf2124bd3dedbc82b00/cmd/cosign/cli/fulcio/fulcioroots/fulcioroots.go#L85), which based on the presence of a `SIGSTORE_ROOT_FILE` env var either loads...
**Description** When I follow the installation instructions at https://docs.sigstore.dev/cosign/installation I get an error: ``` $ go install github.com/sigstore/cosign/cmd/cosign@latest go: downloading github.com/sigstore/cosign v1.8.0 go: github.com/sigstore/cosign/cmd/cosign@latest (in github.com/sigstore/[email protected]): The go.mod file for...
I am currently focusing on cosign verify, but what I am writing probably applies to cosign sign too. I am using AWS KMS to sign images in ECR. There are...
**Question** I pull images from images registry and I want verify these local images.Can I use cosign to verify local images? These images have been singed by cosign in remote...
**Question** Is it possible to use `upload blob` with an identity token? Looking in the documentation I found this is supported in the sign command with the `--identity-token` flag but...
When using a local PEM key file, a PKCS#11 key, or a KMS key a user should be able to specify `--cert` and something like `--chain` to specify the [`dev.sigstore.cosign/certificate`](https://github.com/sigstore/cosign/blob/main/specs/SIGNATURE_SPEC.md#certificate)...
**Description** There is now a public staging instance of fulcio and rekor - https://fulcio.sigstage.dev - https://rekor.sigstage.dev To use cosign in keyless mode requires - deleting the local cosign initialization information...
https://github.com/sigstore/cosign/commit/ac682db9511cc610d5a37704776300421d2c5e30 (CC @asraa) adds the following lines: https://github.com/sigstore/cosign/blob/e74f180ce697dcde62dbe12f48f1a6a26522ea77/cmd/cosign/cli/verify/verify_blob.go#L328-L330 Either (1) this is inverted and it should return `err` or (2) it deserves a comment as to why silence this error...
If I have an unknown flag in my CLI arguments, `cosign` fails no matter how hard I tell it that I want help: ```shell $ cosign sign --bundle foo --help...
Hi! I saw @developer-guy open https://github.com/anchore/grype/issues/614. I think vulnerability scan attestations are a great idea, and I've been catching up on what exists already via these places so far: -...
