New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support Witnessing Sigstore Signing with a Timestamp Authority Server #2509

Open

wparr-circle opened this issue Aug 8, 2024 · 1 comment

Labels

wparr-circle commented Aug 8, 2024 •

edited

Loading

Github Artifact Attestation https://github.blog/changelog/2024-06-25-artifact-attestations-is-generally-available/ only uses public good rekor and fulcio for public repositories.
For private repositories it supports usage of the following github hosted instances (note it does not use rekor):

https://fulcio.githubapp.com/
https://timestamp.githubapp.com/

It would be great if containers-sigstore-signing-params.yaml.5 supported a timestamp authority server in the config:

fulcio:
  fulcioURL: "https://fulcio.githubapp.com"
  oidcMode: "staticToken"
  oidcIDToken: "placeholder"
timestampAuthorityURL: "https://timestamp.githubapp.com"

Refer to

wparr-circle mentioned this issue

Support github artifact attestation containers/skopeo#2393

Open

Collaborator

mtrmac commented Aug 8, 2024

Thanks for your report.

More to the point, I think we should also want to accept signatures using a timestamp authority, not Rekor.

mtrmac added the kind/feature label

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment