-
Notifications
You must be signed in to change notification settings - Fork 48
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add attestation store option #724
Comments
@laurentsimon I am looking forward to a direction to add an explicit option to the verifier (name) and code details to get started. Can you also clarify if the verifier already works with the |
I think the slsa-verifier should work with COSIGN_REPOSITORY, since we're just calling the cosign APIs. So setting the env variable in slsa-verifier should work. Here are the places to add an
If we can add a test, that'd be great... maybe in https://github.com/slsa-framework/slsa-verifier/blob/main/cli/slsa-verifier/main_regression_test.go. Not sure where the best place is for the test yet :) Let me know if this makes sense or not. Thanks again for your help! |
@laurentsimon can you elaborate on the following:
|
Hi
ah, you caught me unaware here. So you're saying that
yes.
yes Does this answer all the questions? Thanks again for all your contributions, really appreciated! |
@laurentsimon Here is the PR #736 for the added option. I have NOT deprecated the Looking forward for a release / tag with this functionality. |
The fact that we use cosign is an implementation detail that need / should not be exposed to client. I think we should remove this option. In fact, we're in the process of moving to sigstore-go instead of cosign
That made me realize we call this option |
… while image verification (slsa-framework#736) @laurentsimon Added a new image verification cmd input `--provenance-repository` This replicates the feature of the `COSIGN_REPOSITORY` environment variable when provenance is stored in a different repository/registry Order of precedence: - If input `--provenance-repository` is set, leverages the non-empty input value - If the env variable `COSIGN_REPOSITORY` is set, it is NOT consumed README edit : https://github.com/slsa-framework/slsa-verifier/pull/736/files#diff-b335630551682c19a781afebcf4d07bf978fb1f8ac04c6bf87428ed5106870f5R280 --------- Signed-off-by: saisatishkarra <saisatish.karra@konghq.com> Co-authored-by: laurentsimon <64505099+laurentsimon@users.noreply.github.com> Signed-off-by: Ramon Petgrave <ramon.petgrave64@gmail.com>
Following slsa-framework/slsa-github-generator#2962, we need to expose this functionality.
/cc @saisatishkarra
The text was updated successfully, but these errors were encountered: