minder icon indicating copy to clipboard operation
minder copied to clipboard
verified publisher icon stacklok

Support for sigstore's protobuf bundle format coming from an OCI registry

Open rdimitrov opened this issue 2 years ago • 1 comments

Ensure/implement that Minder has support for provenance information stored in an OCI registry that uses the bundle format (currently it's only simplesigning).

References:

  • https://github.com/sigstore/protobuf-specs/blob/b46b842040854ceab8f3a42547ae6e991793d0ef/protos/sigstore_bundle.proto#L111

rdimitrov avatar Feb 19 '24 11:02 rdimitrov

We need a strategy for handling attestations more consistently in rules. @puerco is thinking about this.

evankanderson avatar Jul 30 '24 13:07 evankanderson

I think this will be obvious when we pick up artifact work again. We've heard of sigstore somewhere...

evankanderson avatar Dec 03 '24 14:12 evankanderson