Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Replace cosign #1008

Open
naveensrinivasan opened this issue Nov 13, 2022 · 5 comments
Open

Replace cosign #1008

naveensrinivasan opened this issue Nov 13, 2022 · 5 comments
Labels
enhancement New feature or request go Pull requests that update Go code

Comments

@naveensrinivasan
Copy link
Member

At the moment we use cosign to sign our payload. Cosign brings in a lot of dependencies.

We could replace it with something like this https://github.com/slsa-framework/slsa-github-generator/blob/c3a3e407b10cc6dbbb44d01e0ebdded5c6b22f12/signing/sigstore/rekor.go#L63
@naveensrinivasan naveensrinivasan added enhancement New feature or request go Pull requests that update Go code labels Nov 13, 2022
@laurentsimon
Copy link
Contributor

There's a WIP sigstore-go which aims at reducing the dependencies to a minimum. Once it's ready, we'll use that?

@justaugustus
Copy link
Member

There's a WIP sigstore-go which aims at reducing the dependencies to a minimum. Once it's ready, we'll use that?

That sounds like a plan!

@naveensrinivasan
Copy link
Member Author

There's a WIP sigstore-go which aims at reducing the dependencies to a minimum. Once it's ready, we'll use that?

We already have this https://github.com/sigstore/sigstore

@laurentsimon
Copy link
Contributor

IIUC, this https://github.com/sigstore/sigstore-go is the library WIP that will minimize the logic / number of deps

@spencerschrock
Copy link
Member

https://github.com/sigstore/sigstore-go now has signing support, so it may be possible to make the change soon
https://github.com/sigstore/sigstore-go/releases/tag/v0.4.0

v0.4.0 includes signing support as well as the verification and signing API moving from unstable to beta

@spencerschrock spencerschrock mentioned this issue Jul 23, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request go Pull requests that update Go code
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@naveensrinivasan @justaugustus @spencerschrock @laurentsimon