image icon indicating copy to clipboard operation
image copied to clipboard
verified publisher icon containers

Support Witnessing Sigstore Signing with a Timestamp Authority Server

Open wparr-circle opened this issue 1 year ago • 1 comments

Github Artifact Attestation https://github.blog/changelog/2024-06-25-artifact-attestations-is-generally-available/ only uses public good rekor and fulcio for public repositories. For private repositories it supports usage of the following github hosted instances (note it does not use rekor):

https://fulcio.githubapp.com/ https://timestamp.githubapp.com/

It would be great if containers-sigstore-signing-params.yaml.5 supported a timestamp authority server in the config:

fulcio:
  fulcioURL: "https://fulcio.githubapp.com"
  oidcMode: "staticToken"
  oidcIDToken: "placeholder"
timestampAuthorityURL: "https://timestamp.githubapp.com"

Refer to

  • https://github.com/actions/toolkit/blob/main/packages/attest/src/sign.ts#L72
  • https://github.com/actions/toolkit/blob/main/packages/attest/src/endpoints.ts#L44

wparr-circle avatar Aug 08 '24 11:08 wparr-circle