Zack Newman
Zack Newman
``` $ cosign attach -h Provides utilities for attaching artifacts to other artifacts in a registry Usage: cosign attach [command] Available Commands: attestation Attach attestation to the supplied container image...
Related to [Sigstore clients should require a provided identity](https://docs.google.com/document/d/1o8_bXIygufgiohJGlmBzqF4_BnXCTfgh4ILgJFJxYRs/edit?resourcekey=0-YEar3v67uoT31kj83dCVvA). Right now, if you want to poke around at a signature/cert, the easiest way to do that is to run `cosign...
Previously, when using a StringScheme, the Kafka spout would always output the Kafka messages in a field called "str"; in this pull request, the constructor to StringScheme takes a parameter...
See https://github.com/chainguard-dev/cosign-ecs-verify/pull/15 and https://github.com/chainguard-dev/cosign-ecs-verify/pull/14 Looks like it depends on some cloud resource that has been garbage collected.
A lot of this stuff assumes that you know what signatures are etc.
This is a rapidly evolving space, but there's a lot of good stuff here: - the OpenSSF working group has put together some documents - the RubyGems RFC, and PEPs...
Git has [a credential cache of its own](https://git-scm.com/docs/gitcredentials) that looks very similar to the gitsign-credential-cache. I assume there's a good reason not to use it; can we add that to...
Right now, Rekor signs the representation of the Rekor entry as-provided. Most Rekor entries are JSON, so there's no canonical encoding. The current implementation of the Bundle format relies on...
Hi, I would like to enquire if SigStore has any plans to facilitiate integrating technology partners to act as KMS service providers via the the KMIP standard. I note Sigstore...
I think these are all fine as incremental improvements. If I'm allowed to dream big: -------------------------------------------------------------------------------- My overall philosophy here is to *have flags to specify really clearly* what's going...