-
Notifications
You must be signed in to change notification settings - Fork 38
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Update README with more details #188
Conversation
This includes a security model and how to do timestamping with Sigstore. This includes more details on how to operate the TSA in production also. Fixes #17 Fixes #116 Signed-off-by: Hayden B <[email protected]>
Codecov Report
@@ Coverage Diff @@
## main #188 +/- ##
==========================================
- Coverage 47.81% 47.77% -0.04%
==========================================
Files 18 18
Lines 1119 1124 +5
==========================================
+ Hits 535 537 +2
- Misses 528 529 +1
- Partials 56 58 +2
Help us with your feedback. Take ten seconds to tell us how you rate us. Have a feature suggestion? Share it here. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
nice!
* Fetch a timestamp for that signature (more below in "What to sign") | ||
* Upload the signature, artifact hash, and certificate to Rekor (hashedrekord record type) | ||
* Upload the timestamp to Rekor (rfc3161 record type) | ||
* This step is important because it makes the timestamps publicly auditable |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
In future work, will timestamp-authority handle this itself?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Someone asked about this awhile ago. My thought was to make this always client-driven, but maybe we make it configurable? What do you think?
Signed-off-by: Hayden B <[email protected]>
Signed-off-by: Hayden B <[email protected]>
bump for lgtm |
This includes a security model and how to do timestamping with Sigstore.
This includes more details on how to operate the TSA in production also.
Fixes #17
Fixes #116
Signed-off-by: Hayden B [email protected]
Summary
Release Note
Documentation