TLOG Support
dlorenc opened this issue · 0 comments
dlorenc commented
Let's add an experimental TLOG mode to the tool. This will look like:
TLOG=1 cosign sign ...
and
TLOG=1 cosign verify ...
The tlog server will default to api.rekor.dev
, and can be overridden with the REKOR_SERVER
env variable.
TLOG=1 cosign sign
will publish the signature, public key and payload to the Rekor tlog.
TLOG=1 cosign verify
will verify the signature, public key and payload are in the tlog, as well as verifying the signature itself.
Both commands will record the state of the tlog in the .rekor/state.json
configuration file and audit the log on each invocation..