Sigstore-Java verifying artifacts signed by Github Workflows #468
Labels
question
Further information is requested
Comments
|
See However, sigstore-java does not handle certificate rotations yet (see #60), so every certificate rotation requires releasing a new sigstore-java version currently. |
|
Note: sigstore-java does not provide policies to declare "what you trust", and it is probably to be implemented elsewhere. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Question
Hi folks! Ive mention the question in the #java channel but incase its missed. Small question - I'm signing some release artifacts keylessly via Github action. The artifacts are being used in a java client after. Can i do the verification within the Java client using Sigstore-Java implementation. If this is possible can anyone assisst me with this. Thanks and Cheers!
The text was updated successfully, but these errors were encountered: