Zack Newman
Zack Newman
If I have an unknown flag in my CLI arguments, `cosign` fails no matter how hard I tell it that I want help: ```shell $ cosign sign --bundle foo --help...
Original title: `sign-blob` seems to ignore `--verbose` ``` $ cosign version 2>&1 | grep GitVersion GitVersion: v1.6.0 $ export COSIGN_EXPERIMENTAL=1 $ IMAGE_DIGEST=$(cosign upload blob -f /dev/null ttl.sh/$(openssl rand -hex 8):5m)...
From conversation on [Sigstore clients should require a provided identity](https://docs.google.com/document/d/1o8_bXIygufgiohJGlmBzqF4_BnXCTfgh4ILgJFJxYRs/edit?resourcekey=0-YEar3v67uoT31kj83dCVvA#): > From a conversation hayden and I had -- so I don't forget about this. Does it makes sense for...
It's becoming clear that we're not telling a consistent story about "Fulcio identities." I filed https://github.com/sigstore/cosign/issues/1947 to address the fact that I've seen a number of instances where users recommended...
## Context: 1. [rubygems/rfcs#37](https://github.com/rubygems/rfcs/pull/37): resistance to sigstore adoption based on concerns about privacy and "vendorization" 2. [#371](https://github.com/sigstore/fulcio/issues/371) (non-OIDC email support): using an "email verification flow" to have email logins instead...
Discussion in the [RubyGems RFC](https://github.com/rubygems/rfcs/pull/37) indicated interest in a mechanism to verify emails *without* going through an OIDC provider. This should be doable using a stateless email verification flow: 1....
The only breaking changes are in `add_key` and `remove_key` (renamed to `revoke_key`), neither of which appear in the go-tuf repo. I think it's ok to upgrade. Probably better to do...
`go-tuf` added `keyid_hash_algorithms` as a field in [2fbbd60](https://github.com/theupdateframework/go-tuf/commit/2fbbd60ee12ffeb9f2bceeefb5896f9f52eadaef) (June 2020); see [python-tuf#848](https://github.com/theupdateframework/python-tuf/issues/848) for context. However, it never made it into the spec, and now it’s not needed due to [TAP-12](https://github.com/theupdateframework/taps/blob/master/tap12.md)...
`COSIGN_EXPERIMENTAL` was introduced AFAICT for two reasons: 1. The Sigstore *idea*, *interface*, and *implementation* were still experimental 2. The Sigstore *infrastructure* wasn't reliable/didn't have guarantees. So to start, anything that...
Right now, the counter-signing demo has you sign an image, then sign the signature as follows: ```shell $ crane tag $(cosign triangulate dlorenc/demo) mysignature 2021/02/15 20:22:55 dlorenc/demo:mysignature: digest: sha256:71f70e5d29bde87f988740665257c35b1c6f52dafa20fab4ba16b3b1f4c6ba0e size:...