Skip to content

Add keyless signing w/ storage in rekor to FUN.md #924

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Oct 20, 2021
Merged

Add keyless signing w/ storage in rekor to FUN.md #924

merged 1 commit into from
Oct 20, 2021

Conversation

@priyawadhwa
Copy link
Contributor

@priyawadhwa priyawadhwa commented Oct 19, 2021

I filled in the last section of this doc! Let me know if I didn't do this the intended way 😅

squee1945
squee1945 reviewed Oct 19, 2021
View reviewed changes
squee1945
squee1945 reviewed Oct 19, 2021
View reviewed changes
FUN.md
2djlcXFUJb1xFwO5
-----END CERTIFICATE-----
tlog entry created with index: 782549
Copy link

@squee1945 squee1945 Oct 19, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Related feedback: it seems like Cosign should emit an immutable https:// link to rekor for the tlog entry here.

squee1945
squee1945 reviewed Oct 19, 2021
View reviewed changes
FUN.md
Now find it from the log:

```
$ uuid=$(rekor-cli search --artifact <(git rev-parse HEAD) | tail -n 1)
Copy link

@squee1945 squee1945 Oct 19, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I assume tail -n 1 retrieves the most recent signature for a given hash. I suppose a real world example would already know the git hash that it wanted to check...

Copy link
Contributor Author

@priyawadhwa priyawadhwa Oct 20, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

yah we're just checking out the most recent signature here. realistically you might get a list & have to go through each entry to see if a trusted identity signed off on the commit.

@priyawadhwa priyawadhwa force-pushed the keyless-sign-git-commit branch from ab20430 to 3abd1e0 Compare October 20, 2021 20:13
@dlorenc dlorenc merged commit b2351d3 into sigstore:main Oct 20, 2021
@github-actions github-actions bot added this to the v1.3.0 milestone Oct 20, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

2 more reviewers

@squee1945 squee1945 squee1945 left review comments

@dlorenc dlorenc dlorenc approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

v1.3.0

Development

Successfully merging this pull request may close these issues.

3 participants

@priyawadhwa @squee1945 @dlorenc