You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Currently I believe we don't use all of the information in the signingconfig part of --trust-config (or the signingconfig from TUF). It would be useful for #1340 if we did as we can then try to provide a "sigstore-in-a-box" test setup that comes with a trustedroot and signingconfig.
Basically, if we have signingconfig we should select the used services from there when signing
interactive oidc url: this needs work
fulcio url (EDIT: this is already covered when using --trust-config)
rekor urls (EDIT: this is already covered when using --trust-config)
In addition:
--production and --staging should actually use the signing config from TUF
To fix these issues:
_internal.trust has to contain a SigningConfig implementation and should use a method provided by _internal.tuf to fetch it (special casing is currently needed for production since there is no signingconfig yet). I have an almost ready branch for this.
deps: bump protobuf-specs #1276 is sort of a blocker: signingconfig has had changes and it would probably make sense to only support the current version
Currently I believe we don't use all of the information in the signingconfig part of
--trust-config(or the signingconfig from TUF). It would be useful for #1340 if we did as we can then try to provide a "sigstore-in-a-box" test setup that comes with a trustedroot and signingconfig.Basically, if we have signingconfig we should select the used services from there when signing
In addition:
To fix these issues:
_internal.trusthas to contain a SigningConfig implementation and should use a method provided by_internal.tufto fetch it (special casing is currently needed for production since there is no signingconfig yet). I have an almost ready branch for this.