-
Notifications
You must be signed in to change notification settings - Fork 29
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Adopt the sigstore bundle format in cosign #13
Labels
enhancement
New feature or request
Comments
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Description
As part of this effort sigstore/cosign#2331, we're adding support for storing verification data from timestamp authorities (e.g. sigstore/timestamp-authority) into the current cosign bundle. That means users could use Rekor or a timestamp authority to verify its signed artifacts. However, the current cosign implementation assumes the bundle only contains Rekor data.
As a consequence, we decided to reuse the sigstore bundle format approved in this repository. This format would help us to extend the current RekorBundle into a more generic Bundle that could satisfy this new use case. At the same time, we should ensure this new Bundle type does not break the old format, and thus avoids backwards compatibility issues.
We've started proposing some changes in sigstore/cosign#2422 where @haydentherapper suggested to include the maintainers of this spec and decide about this new type.
The text was updated successfully, but these errors were encountered: