Billy Lynch
Billy Lynch
I think the `--check` option makes the most sense here. We can keep the existing behavior (which seems useful as a standalone reporting tool).
Did some research today - this would need more work. We can't guarantee that all users are vendoring their dependencies. If for whatever reason the upstream source is unavailable, deleted,...
An opt-out flag SGTM, so long as we include a warning about the consequences of doing so. I haven't poked around the x/mod code recently, but I'm curious if we...
👍 Sounds good to me! I'll take a pass at this.
@sagikazarmark would you be able to take a look at this? 👀
Friendly bump. Let me know if there's anything I can do on my end to move this along! 🙏
Want to chime in to +1 this! I've been talking to a few folks informally (cc @lumjjb @chuangw6 @mattmoor @mlieberman85) about wanting a place for additional details in the SLSA...
I think https://github.com/sigstore/gitsign/pull/87 fixes this, so long as a TTY is available in the session - try updating to v0.2.0! This is what gitsign looks like for me at a...
Some more thinking about this - using committer emails to verify against for human users should be relatively easy, but we still need to figure out: 1. How to find...
Did something thinking + experimentation around this - here's a rough proposal: For `gitsign verify`, we can provide customized flags that match the experience of `cosign verify` (e.g. `--certificate-email`, etc.)....