Zack Newman
Zack Newman
This working group has produced a ton of useful information about how best to build a secure package repository, along with data on what repositories are currently doing. Can we...
Lots of ink has been spilled on cryptographic signing in package managers (see "Misc. references" below). And we've certainly had our fair share of discussion in this working group. Still,...
We get a lot of questions about air-gapped deployments for Cosign, policy-controller, etc. There are a fair number of important considerations: getting TUF roots across, etc. Worth writing up once...
The beginnings of this exist already: - https://docs.sigstore.dev/cosign/custom_components - #19 But I propose the following reorganization: - Run your own Sigstore - Overview - Scaffolding - Managing keys with TUF...
See https://github.com/sigstore/cosign/issues/2416 This page should mention `GITLAB_HOST`: https://docs.sigstore.dev/cosign/git_support Also might be nice to have a page where we document *all* the env vars (a la `cosign env`).
What happens if a Fulcio/Rekor key is compromised? We [have a proposed plan](https://docs.google.com/document/d/1tRDnxhivZU__4F_Y-Bnk8EVcBbwxZETJyALegN6TU1c/edit?resourcekey=0-c2-NL_s-PEAOoK0t3us0ug#heading=h.v9ayc9uf4b8n), but it's not documented on the web site. There are two reasons we might want to do...
We're planning on using some of these things as interchange formats. There's a few references to "when encoded as JSON" etc. in the protos. Can we get a little more...
https://github.com/sigstore/cosign/issues/2434 proposes adding "conformance testing" to Cosign ([previously implemented in sigstore-python](https://github.com/sigstore/sigstore-python/pull/298)). I think this is a great idea and we've been thinking about it in the abstract in this repository....
See https://github.com/sigstore/cosign/issues/2557 and https://github.com/sigstore/rekor/issues/845
I would like to at least explore the idea of multiple signatures as well. Different objects in a repository like java might come from different sources and then uploaded together,...