You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
We have implemented the functionality to sign and verify genval artifacts using Sigstore/cosign. At the time of implementation, this was the way as Sigstore had not released its library for these functionalities. This implementation works by calling Cosign's CLI commands for signing which imposes a dependency on users to have the Cosign CLI utility installed on their local systems. For verification of signatures, we use Sigstor's different packages like fulcio, rekor etc, which bloats the genval binary size.
Hence, it is proposed to migrate from the current implementation to use the new client library released by the Sigstore team — sigstore-go a minimal and friendly API for integrating Go code with Sigstore that is located at github.com/sigstore/sigstore-go
The text was updated successfully, but these errors were encountered:
We have implemented the functionality to sign and verify genval artifacts using Sigstore/cosign. At the time of implementation, this was the way as Sigstore had not released its library for these functionalities. This implementation works by calling Cosign's CLI commands for signing which imposes a dependency on users to have the Cosign CLI utility installed on their local systems. For verification of signatures, we use Sigstor's different packages like
fulcio,rekoretc, which bloats the genval binary size.Hence, it is proposed to migrate from the current implementation to use the new client library released by the Sigstore team —
sigstore-goa minimal and friendly API for integrating Go code with Sigstore that is located atgithub.com/sigstore/sigstore-goThe text was updated successfully, but these errors were encountered: