Zack Newman
Zack Newman
See helpful context: https://github.com/sigstore/cosign/pull/2461#discussion_r1024644134_ > The `verify-*` commands have this argument: > > > `--certificate-chain string`: path to a list of CA certificates in PEM format which will be needed...
(This is written about GitHub so we have a specific example, but applies to all future CI/CD providers!) Right now, you need to deal with a menagerie of flags to...
Added in https://github.com/sigstore/cosign/issues/247 to support a use case like: ``` cosign verify \ --url https://raw.githubusercontent.com/image-publishing-org/project-repo/$RELEASE_TAG/cosign.pub \ gcr.io/image/to/verify:$RELEASE_TAG ``` This seems to get used in a few places: - Misc. places...
A user in Slack has a use case that looks like the following: 1. There's an upstream image we depend on (`alpine:latest`) with no signatures. 2. We want to verify...
See [Proposal: Cosign Versioning](https://docs.google.com/document/d/1urWUPhtzXKWqL9CoaEw4Z35v5IDl9yrTRQ40XlYekOo/edit#) and https://github.com/sigstore/cosign/discussions/2365
You should be able to `cosign copy` an image and its {signatures,attestations,etc.} *first* to disk, *then* to another repository. (Example use case: copying across an air-gap.) This might also look...
Right now, if `--ct-log-url` is not passed, we don't set up the CT log: https://github.com/sigstore/fulcio/blob/d43e0d948c1f26d9a6d910857c7ecb86b8980564/cmd/app/serve.go#L225 That feels easy to do accidentally. Should we require a `--no-ct-log` flag for testing or...
Thanks to @EthanHeilman for the idea and sketch of how it might work. Proof of concept plan: 1. Write/find code for [GQ signatures](https://crypto.stackexchange.com/questions/16015/proving-the-possession-of-signature-in-zero-knowledge/16039#16039) which can be used as a (non-interactive)...
The [Sigstore conformance test suite](https://github.com/sigstore/sigstore-conformance) needs access to some OIDC token to run its tests (which run against Sigstore staging, and include OIDC-based signing flows). GHA (quite sensibly) prohibits access...
The below describes a *hypothetical* issue. Right now, we do everything correctly. But I'd like to see us be a bit more defensive here. ------------------------------------------------------------------- We populate the [1.3.6.1.4.1.57264.1.1 extension](https://github.com/sigstore/fulcio/blob/69f96cd64a1e580f607b7941558ecb08020728e9/docs/oid-info.md#1361415726411--issuer)...