You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Just adding some context or comments or lessons learned from cosign:
There's a proposal for a more specified bundle: sigstore/cosign#2131. Depending on your timeline of course, you may just want to use a basic copy of the Rekor bundle, without relying on this issues resolution.
Note that the cosign current --bundle output has something of the format:
When using the cosign CLI, it's hairy to use the base64Signature in favor of the signature potentially given in the CLI argument --signature. Likewise, definitely use diligence to make sure that rekorBundle actually applies to the artifact that it's intended to verify!
Description
Similar to
cosign
's--bundle
flag, we should support generating offline Rekor bundles as well:E.g. from
cosign
:This is likely a logical first step before #52.
The text was updated successfully, but these errors were encountered: