You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Currently sigstore-rs verifies a cosign signature stashed in an OCI registy, but we might also want to attest blobs locally (exist in rekor and signed with an ODIC account or pub key that we provide). We would likely want a client to perform this, but we expose the ABI in sigstore-rs to allow them to so so
The text was updated successfully, but these errors were encountered:
I have a PR for this for "cosign" but be aware that there's currently a bug in Rekor: sigstore/rekor#582 so you can't actually verify the signature from Rekor. You will need to keep the signature locally.
I have a PR for this for "cosign" but be aware that there's currently a bug in Rekor: sigstore/rekor#582 so you can't actually verify the signature from Rekor. You will need to keep the signature locally.
Thanks for pointing that out! Looks like the issue is now resolved.
From @lukehinds
Currently sigstore-rs verifies a cosign signature stashed in an OCI registy, but we might also want to attest blobs locally (exist in rekor and signed with an ODIC account or pub key that we provide). We would likely want a client to perform this, but we expose the ABI in sigstore-rs to allow them to so so
The text was updated successfully, but these errors were encountered: