Replies: 4 comments 1 reply
-
Allow depending on Sigstore without taking a dependency on KMS provider libraries: #386 |
Beta Was this translation helpful? Give feedback.
-
Make a standalone sigstore-go client library. (This is a bigger one; see Sigstore in Golang doc) |
Beta Was this translation helpful? Give feedback.
-
Cosign uses a "hack" to attach signatures to OCI images: if your image is OCI has officially adopted "reference types" to do something similar. Can we:
|
Beta Was this translation helpful? Give feedback.
-
Finding a forever home for protos in Sigstore! There are several proto interfaces that will be needed by any client, written in Go or another language:
|
Beta Was this translation helpful? Give feedback.
-
There are a few issues with the state of the Sigstore libraries in Golang:
If that wasn't enough whinging for you, you can read my full write-up (join sigstore-dev@ Google Group for access).
Taken together, all of these refactoring ideas are daunting! But I believe they can be split up and proceed independently. Let's use this GitHub discussion to make threads on specific ideas (feel free to suggest your own) and figure out where to track them.
Beta Was this translation helpful? Give feedback.
All reactions