sigstore-js
sigstore-js copied to clipboard
Code-signing for npm packages
This PR was opened by the [Changesets release](https://github.com/changesets/action) GitHub action. When you're ready to do a release, you can merge this and the packages will be published to npm automatically....
**Question** - signstore Whether to support npm embedded signatures,if suported it,How do I manage signatures and artifacts if I separate signatures
**Description** Hi! In [slsa-github-generator](https://github.com/slsa-framework/slsa-github-generator), we use Sigstore to generate and verify our signing tokens. Our workflows were working with Sigstore `v1.8`, however, when we upgraded to `v1.9`, we experienced issues...
Fixes #526 Replaces https://github.com/sigstore/sigstore-js/pull/552 #### Summary Updates `@sigstore/sign` to use "dsse" as the default Rekor type when submitting DSSE-wrapped payloads. This replaces the current "intoto" type currently in use. NOTE:...
In the [Sigstore clients special interest group](https://github.com/sigstore/sig-clients) [meeting today](https://docs.google.com/document/d/1PNbBZSG3QC8hWVYBx6YDppaXwmSLDfx7t66ECaGa8y4/edit#heading=h.amx8uup2nogs), we discussed an [issue with the release signatures on CPython](https://github.com/sigstore/sigstore-python/issues/600). We have two recommendations for client libraries: 1. After signing, the...
**Description** This has not been rolled out into the production sigstore environment yet, but it is available in staging (rekor.sigstage.dev). https://github.com/sigstore/rekor/pull/1487 added support for a new pluggable type `dsse` which...
**Description** I think a typical use case will be a project that has N people who are authorized to sign artifacts (releasers in the case of the Node.js project -...