sigstore/cosign

Issues

• Reconsider deprecation of SBOM attachments

  #3685 opened 16 days ago by marklechner
  1

• cosign verify with certificates requires the --certificate-identity and --certificate-oidc-issuer flags

  #3671 opened 17 days ago by dhaus67
  2

• cosign attach command couldn't attach the rekor-bundle to an image

  #3678 opened 18 days ago by ArubaTest
  1

• `cosign.VerifyImageAttestations` fails to verify attestations, returns `unable to verify bundle: matching bundle to payload: invalid kind value: "dsse"`"

  #3677 opened 22 days ago by justpolidor
  1

• Support working with SLSA statements (without wrapping)

  #3641 opened 2 months ago by fmoessbauer
  2

• Cosign should check Media Type of the layer before download of the signature

  #3669 opened a month ago by Mukuls77
  0

• Allow insecure registryies with cosign save.

  #3630 opened a month ago by bisbell-ngc
  2

• latest tag not set automatically for v2 releases in GCR

  #3621 opened a month ago by haydentherapper
  2

• Why calling v2 referrers api and including all signature layer in new signature manifest

  #3659 opened a month ago by MinerYang
  2

• Bypass YubiKey Authentication for Self-Generated Key Pairs

  #3658 opened a month ago by abakerwrs
  0

• Wrong timestamp inside signature

  #3657 opened a month ago by RockRich
  1

• Sigstore Bundle as OCI Artifact

  #3577 opened a month ago by bdehamer
  15

• Cosign / rpm integrations meta-issue

  #3523 opened 3 months ago by lkatalin
  3

• Memory Leak identified in cosign verify flow

  #3642 opened a month ago by Mukuls77
  0

• Add OVHcloud Managed Registry in the README

  #3638 opened 2 months ago by scraly
  0

• Cosign doesn't accept Digicert's TSA certificate when verifying a signature

  #3632 opened 2 months ago by alt-enio
  1

• Signature Verification

  #3585 opened 2 months ago by suryabaiarava
  3

• Enable annotations to be set on attestations and signatures when OCI artifacts are uploaded

  #3640 opened 2 months ago by arewm
  0

• v2.2.3 or @latest cannot be installed on FreeBSD 14.0's go1.20

  #3631 opened 2 months ago by mandree
  4

• How to sign and verify with certificates from another CA?

  #3616 opened 2 months ago by peer-jslater
  5

• Error: getting ctlog public keys: updating local metadata and targets: error updating to TUF remote mirror: invalid key

  #3614 opened 2 months ago by Tim-Schwalbe
  2

• Cosign Keyless Signing using MS as the OIDC issues

  #3529 opened 3 months ago by alecrevangelista
  9

• generate key pair key prefix option is not working

  #3620 opened 2 months ago by miki725
  3

• Allow provisioning key-pair to a GitHub organisation's secrets

  #3566 opened 2 months ago by biehl1
  3

• Keyless Sigining Verification Fails on Github Self Hosted Runner

  #3613 opened 2 months ago by learningcicd
  0

• cosign sign with hashivault as KMS without transit

  #3611 opened 2 months ago by VenutNSA
  0

• Attestations require uploading entire payload to rekor

  #3599 opened 2 months ago by jonjohnsonjr
  9

• `cosign verify-attestation` hangs indefinitely in GitHub Actions

  #3602 opened 2 months ago by AliSajid
  2

• The sample script for working with blobs is inaccurate

  #3609 opened 2 months ago by arewm
  0

• Cosign targets Go 1.21, but uses 1.22 only dependency `github.com/buildkite/agent/v3@v3.65.0`

  #3608 opened 2 months ago by cardil
  3

• Fetch TSA certificates from TUF targets when available

  #3563 opened 3 months ago by haydentherapper
  1

• Upgrade to latest Sigstore TUF client

  #3548 opened 3 months ago by haydentherapper
  2

• Empty subject in the issued certificate in github workflow

  #3584 opened 2 months ago by ThomsonTan
  2

• Request: Update the CODEOWNERS.md with the current list of maintainers

  #3580 opened 2 months ago by TheFoxAtWork
  1

• Not able to sign OCI image from within a dind image (kdf issue?)

  #3562 opened 2 months ago by burgesQ
  2

• main.go:74: error during command execution: signing ... accessing image: Get "https://docker/v2/"

  #3570 opened 2 months ago by niteeshkd
  1

• Container Signing using CA Certificate

  #3573 opened 2 months ago by suryabaiarava
  1

• "cosign verify-blob" or "cosign verify" with local certificate and chain always asks for oidc provider

  #3572 opened 2 months ago by fernandokarnagi
  1

• Switch to Fulcio v2 API

  #3569 opened 3 months ago by haydentherapper
  0

• feature: 'cosign sign' add flags --ca-roots and --ca-intermediates to allow multiple CA roots

  #3568 opened 3 months ago by dmitris
  0

• verify-attestation should support --platform argument

  #3552 opened 3 months ago by querti
  1

• Mediatype for SPDX should be application/spdx+json

  #3515 opened 4 months ago by lumjjb
  6

• cosign could not import encrypted RSA or ECDSA keys ?

  #3512 opened 3 months ago by viveksahu26
  5

• ErrNoSignaturesFound should be used when there is no signature attached to an image.

  #3525 opened 3 months ago by zhaoyonghe
  0

• --insecure-ignore-sct possibly broken when verifying keyless sig

  #3514 opened 3 months ago by willarmiros
  3

• getting error while running e2e test locally

  #3498 opened 4 months ago by viveksahu26
  3

• Verifying signature of image in golang or java code

  #3503 opened 4 months ago by surendrababuravella
  4

• OSS security index card

  #3511 opened 4 months ago by viveksahu26
  1

• CI tests failing on main

  #3500 opened 4 months ago by haydentherapper
  2

• backward compatibility issue between v2.2.x and v2.[0|1].x

  #3496 opened 4 months ago by bouenou
  1