Skip to content

v0.1.0

Choose a tag to compare

View all tags
@bdehamer bdehamer released this 30 Nov 18:39
· 1074 commits to main since this release
v0.1.0
d62881b
This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
GPG key ID: 4AEE18F83AFDEB23
Expired
Verified
Learn about vigilant mode.

Working toward the 1.0.0 release!

  • OpenID Connect support
    • Interactive OIDC token retrieval via OAuth
    • Automatic OIDC token retrieval when running in GitHub Actions
  • Keyless signing using Fulcio-issued signing certificates bound to OIDC identities
  • Signing
    • Blob signing
    • Signing of DSSE-wrapped attestations
  • Record of signatures posted to Rekor transparency log
  • Support for the Sigstore Bundle format
  • Offline bundle verification
    • Signature verification
    • Transparency log entry verification

Before we get to the 1.0.0 release we'll have complete offline bundle verification including Fulcio certificate chain verification and integration with the Sigstore TUF root for retrieving the Fulcio root certificate and Rekor public key.

Assets 2
Loading