Zach Steindler
Zach Steindler
Yeah, so when I heard about this project I thought of it as made up of two steps: 1) Taking workload identity information (like from GitHub Actions) and encoding it...
This is great! I'm going to take a stab at answering these questions. > 1. What does the Source level attach to? Is it a project, a repo, a commit,...
Hi @lovato - this was actually intentional. The way we were using simplepypi at work we would sometimes need to re-submit a patched package with the same version number as...
After the Sigstore TSC meeting this week, I thought I'd add some details about possible alternative approaches. #### Should Fulcio code signing certificates include OIDs for release attestation properties like...
I have another claim to suggest, unrelated to the (great) conversation above about build instructions and references. Some CI/CD providers allow you to either run your build on their cloud-hosted...
So there's sort of two questions rolled into one here: 1. What properties must cloud CI/CD providers send to Fulcio? 2. Should / can OIDC token field names be standardized...
Hello! I'm one of the sigstore-go maintainers. Yesterday we released [sigstore-go v0.4.0](https://github.com/sigstore/sigstore-go/releases/tag/v0.4.0), where [we added signing support](https://github.com/sigstore/sigstore-go/blob/main/docs/signing.md) and upgraded the verification and signing interface from "unstable" to "beta". There may...
Yes, this question has come up before. There's very similar data in the Fulcio code signing certificate and in the SLSA provenance in-toto attestation, so why have the information in...
I think this is a great idea! The Securing Repos OpenSSF Working Group is [encouraging all package registries to provide build provenance](https://repos.openssf.org/build-provenance-for-all-package-registries). Not **all** build properties have to be standardized,...
Hello @fitreklam! I'm not @JangoSteve, but I believe that instead of `node` the binary is now called `nodejs`. If you change that, perhaps the server will start up correctly?