Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update README with more details #188

Merged
merged 3 commits into from
Dec 20, 2022
Merged

Update README with more details #188

merged 3 commits into from
Dec 20, 2022

Conversation

haydentherapper
Copy link
Contributor

This includes a security model and how to do timestamping with Sigstore.

This includes more details on how to operate the TSA in production also.

Fixes #17

Fixes #116

Signed-off-by: Hayden B hblauzvern@google.com

Summary

Release Note

Documentation

@haydentherapper
Update README with more details
f8e0d26 
This includes a security model and how to do timestamping with Sigstore.

This includes more details on how to operate the TSA in production also.

Fixes #17

Fixes #116

Signed-off-by: Hayden B <hblauzvern@google.com>
@haydentherapper haydentherapper requested a review from a team as a code owner December 15, 2022 20:57
@codecov-commenter
Copy link

Codecov Report

Merging #188 (f8e0d26) into main (2abaee1) will decrease coverage by 0.03%.
The diff coverage is n/a.

@@            Coverage Diff             @@
##             main     #188      +/-   ##
==========================================
- Coverage   47.81%   47.77%   -0.04%     
==========================================
  Files          18       18              
  Lines        1119     1124       +5     
==========================================
+ Hits          535      537       +2     
- Misses        528      529       +1     
- Partials       56       58       +2
Impacted Files Coverage Δ
pkg/ntpmonitor/config.go 37.50% <0.00%> (+1.13%) ⬆️

Help us with your feedback. Take ten seconds to tell us how you rate us. Have a feature suggestion? Share it here.

malancas
malancas previously approved these changes Dec 15, 2022
View reviewed changes
asraa
asraa reviewed Dec 16, 2022
View reviewed changes
Copy link
Collaborator

@asraa asraa left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nice!

README.md Outdated Show resolved Hide resolved
README.md Outdated Show resolved Hide resolved
README.md
* Fetch a timestamp for that signature (more below in "What to sign")
* Upload the signature, artifact hash, and certificate to Rekor (hashedrekord record type)
* Upload the timestamp to Rekor (rfc3161 record type)
* This step is important because it makes the timestamps publicly auditable
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

In future work, will timestamp-authority handle this itself?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Someone asked about this awhile ago. My thought was to make this always client-driven, but maybe we make it configurable? What do you think?

README.md Outdated Show resolved Hide resolved
README.md Outdated Show resolved Hide resolved
README.md Outdated Show resolved Hide resolved
@haydentherapper
Update from comments
16f2b14 
Signed-off-by: Hayden B <hblauzvern@google.com>
@haydentherapper
Fix link
400799c 
Signed-off-by: Hayden B <hblauzvern@google.com>
@haydentherapper
Copy link
Contributor Author

bump for lgtm

@haydentherapper haydentherapper merged commit 66213b1 into main Dec 20, 2022
@haydentherapper haydentherapper deleted the haydentherapper-patch-1 branch December 20, 2022 16:39
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@asraa asraa asraa left review comments

@hectorj2f hectorj2f hectorj2f approved these changes

@cpanato cpanato cpanato approved these changes

@malancas malancas malancas left review comments

@znewman01 znewman01 Awaiting requested review from znewman01

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

What payload should we send to the TSA in Sigstore? Add documentation
6 participants
@haydentherapper @codecov-commenter @hectorj2f @cpanato @asraa @malancas