Cole Kennedy
Cole Kennedy
@DiscoLives4ever you have the source available. I want to use k8s to make the setup painless of you have a k8s cluster running.
Adding use case here per our conversation on the forum: We have thousands of points with billboards (MILSYM) that are being updated on an irregular basis (think worldwide flight data)....
We are creating a tool that will generate verifiable environment attestation data. I would like to have a way to reference or embed these attestations in CycloneDX ``` { "_type":...
They are signed DSSE envelopes available in a log or as files. We use Rekor in our initial architecture. here is an example of a entry: https://log.testifysec.io/api/v1/log/entries?logIndex=125
We had a discussion with Justun Cormack and storing attestations as part of the image manifest. We had concerns about manifest bloat. We need to define OCI manifest size limits...
I think we should do this in --verify. We can create an OCI image or tarball from the attestations used to verify a policy.
We will probably need to rework some of the attestors a bit in order to mock data
This is definitely on the roadmap, but not on our critical path right now as our reference architecture utilizes SPIFFE/SPIRE. We would accept any PRs adding support for Fulcio generated...
Code sample on how to fetch a cert from fulcio here: https://github.com/sigstore/fulcio/pull/324
We will need to get Fulcio set up to work on this issue.