Open
Description
The goal is to research the feasibility of integrating Chainloop and Sigstore by:
- Letting users use a Fulcio instance to generate ephemeral signing certificates with the proper attributes (CTlog inclusion, OIDC attributes correctly mapped, etc)
- Providing integration with Rekor to publish signatures in a public/private transparency log
- generating attestation bundles in the Sigstore Bundle format (the one GitHub uses) to store the verification material
- Ensuring the attestations are correctly signed and can be verified using the Sigstore verification specs (implemented in the sigstore-go library)
The outcome of this task would be a set of action items to tackle as part of this initiative.
### Tasks
- [ ] https://github.com/chainloop-dev/chainloop/issues/1244