Is it possible to sign and verify artifacts while pushing and pulling artifacts using sigstore? #1906
-
|
Thank you for the great project! WorkaroundAs a workaround, I'm signing and verifying artifacts using cosign myself. https://github.com/szksh-lab-2/example-oras-cosign/blob/5b64fd6e6c12285e3ab3b5c21752077516a8662d/.github/workflows/test.yaml#L35-L48 |
Beta Was this translation helpful? Give feedback.
Replies: 1 comment 1 reply
-
|
Hi @suzuki-shunsuke , ORAS can store and manage signatures as artifacts, but it doesn’t handle signing or verification directly. |
Beta Was this translation helpful? Give feedback.
Hi @suzuki-shunsuke , ORAS can store and manage signatures as artifacts, but it doesn’t handle signing or verification directly.
You might be interested in the Notary project, which is dedicated to signing and verifying artifacts and is backed by the
oras-goSDK. /cc @shizhMSFT @FeynmanZhou