Zach Steindler
Zach Steindler
**Description** We would like there to be a relatively compact Go library that people can use for Sigstore bundle verification, instead of having to depend on all of sigstore/cosign. In...
**Description** We are working on adding an [in-toto predicate for release attestations](https://github.com/in-toto/attestation/pull/319). There have been discussions about what information should live in Fulcio code signing certificate OIDs vs in the...
**Is your feature request related to a problem? Please describe.** I was working with GUAC and ingested a provenance file, and then tried to ingest an associated SPDX SBOM. The...
This issue is to suggest a `github-release` purl type, discuss the motivation, and list some possible alternatives. ### Motivation At GitHub we're working on [some improvements to GitHub Releases](https://github.com/github/roadmap/issues/943) including...
Today I learned about sos.dev... and that it probably isn't going to run in 2024. But there are several ongoing programs to fund security improvements in open source software. I...
One of the higher-impact activities of this working group is writing up learnings from a package repository implementing a capability, to make it easier for other repositories to develop the...
This is where we can collect feedback from the v0.1 release, as well as pick up feedback we didn't get to in https://github.com/ossf/wg-securing-software-repos/pull/37.
This will help package repositories see what each other are working on, link to context to inform future implementations, and document funding sources so interested package repositories can seek our...
#### Summary As we work towards releasing signing support (https://github.com/sigstore/sigstore-go/issues/136), we want the option to verify that the bundle we signed is valid before returning it to the user. At...
### Description It would be great if sigstore-go could not just verify, but also sign bundles. There aren't many libraries that support signing bundles today (just sigstore-js?) This would also...