Fredrik Skogman
Fredrik Skogman
This came up during a discussion related to new features for the sigstore TUF client, as there is a desire to make implementations in different languages sharing the target and...
Initially discussed in this PR https://github.com/theupdateframework/go-tuf/pull/347, see this comment https://github.com/theupdateframework/go-tuf/pull/347#issuecomment-1211615181 for more details. That PR adds support for verifying that the permission mode for the metadata cache is a bit...
**Description** Today the public key can be retrieved via the API. For signature algorithms that rely on a hash function, the used hash function can not be retrieved via the...
Closes https://github.com/sigstore/cosign/issues/2131 Authored by @kommendorkapten and @patflynn #### Summary First iteration of the proposed new bundle format for cosign. See `README.md` for more details. The intent for this PR is...
In https://slsa.dev/spec/v1.0-rc1/terminology, section "Software supply chain" we can read: > We represent a supply chain as a [directed acyclic graph](https://en.wikipedia.org/wiki/Directed_acyclic_graph) of sources, builds, dependencies, and packages. and below is a...
**Description** For some entry types (it seems?), the uploaded PEM encoded certificate is not returned with an ending newline (this may require that the uploaded certificate did not end with...
It would be good during debugging sessions if the user agent string contained the go-tuf version instead of the default Go user agent string. Also, during tuf client initializeation the...
**Description** See this PR: https://github.com/sigstore/root-signing/pull/773/files#diff-411f5cc22c155801c5fd2fe49b6e5152a541cce0f8ae8b1b8b0ddc83c0d50314R1 Some ideas from the top of my head: 1. Figure out another method to represent the POP signature. 2. Store the POP signatures outside the...
**Description** Make sure the workflows for adding delegations works with delegations using multiple keys. The current scripts/workflow are limited to a delegation that uses a single key. The command `tuf...
It would be good during debugging sessions if the user agent string contained the tuf-js version instead of the default user agent string. Also, during tuf client initializeation the client...