Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

make --cert-identity a required parameter in sigstore verify #155

Closed
graingert opened this issue Jul 7, 2022 · 5 comments
Closed

make --cert-identity a required parameter in sigstore verify #155

graingert opened this issue Jul 7, 2022 · 5 comments
Labels
blocked enhancement New feature or request

Comments

@graingert
Copy link

Description

Forgetting to verify who a certificate is actually from is a foot gun, which accidentally caught out urllib3 see urllib3/urllib3#2675
@graingert graingert added the enhancement New feature or request label Jul 7, 2022
@znewman01 znewman01 mentioned this issue Jul 7, 2022
Closed
@di
Copy link
Member

di commented Jul 7, 2022

Since we're trying to maintain parity with cosign, marking this blocked on sigstore/cosign#2056.

@di di added the blocked label Jul 7, 2022
@woodruffw
Copy link
Member

This is also partially blocked on #108, since --cert-identity is pretty limited in scope.

@haydentherapper
Copy link
Contributor

We are likely going to add this very soon in Cosign. Will tag y'all on the PR for discussion.

@woodruffw woodruffw mentioned this issue Nov 3, 2022
Merged
@woodruffw
Copy link
Member

#299 currently contains this change on our side, although I may break it out into a separate PR.

@woodruffw
Copy link
Member

This is done.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
blocked enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@di @graingert @woodruffw @haydentherapper