ShoqJan 26

RE: https://mstdn.social/@stux/115961848413306603

#cosign

Show threadNick (Alatar the Blue)Sep 11, 2025

@dmoonfire

#cosign

Anthony AcciolyJul 20, 2025

1/2
Today I was playing with Minisign and Cosign to evaluate whether it’s worth signing some of my OSS software with something other than PGP.

Here’s my verdict: Minisign is promising… Much easier to use than PGP. That simplicity, of course, comes at the cost of giving up a few features.

#OSS #SoftwareSigning #ArtifactSigning #PGP #Minisign #Cosign #Sigstore

Pontiff Fractal TiamJun 13, 2025

I don't suppose that trusting #sigstore to run a centralized CA and transparency logs just to issue short-lived certs for me to generate signatures is much more secure than #PGP signing using my own keys. I'm just increasing the attack surface...

The whole Googlesque philosophy of "trust us; don't be evil" is contrary to my take on information security.

But I'm also open to anyone convincing me otherwise.

#cosign #rekor #flucio

potiMay 28, 2025
Back from a multi-day-long rabbit hole:
kasseapparat now builds multi-arch images using Docker Bake, with labels, annotations, and SBOMs – all signed and attested via Cosign in GitHub Actions.
Took way more test builds than expected 🤯. Now back to the fun part: building software.
#DevOps #Cosign #SBOM #MultiArch #GitHubActions
Jezus Michał "Le Wzdych" (on)Dec 30, 2024

#SigStore rzekomo: ma wiele klientów i jest łatwe w użyciu.

Rzeczywistość:

#Cosign domyślnie używa (starego?) formatu podpisu, którego najwyraźnej klient Pythonowy w ogóle nie obsługuje. Trzeba podawać `--new-bundle-format`, żeby dostać podpisy zgodne z innymi klientami.

Przy weryfikacji też trzeba podawać `--new-format`. W przeciwnym wypadku, otrzymamy zupełnie niejasny komunikat:

Error: bundle does not contain cert for verification, please provide public key

No i oczywiście znaleźć jakiekolwiek informacje jest kosmicznie trudno. Odkryłem, jak to się robi tylko dlatego, że kojarzyłem, że kiedyś na forum Pythona był na ten temat wątek, i ktoś rzucił przykładem, jak weryfikować wydania CPythona za pomocą tego wynalazku.

Jesus Michał "Le Sigh" 🏔 (he)Dec 30, 2024

#SigStore claim: it has multiple clients and it's easy to use.

Reality:

#Cosign defaults to using a bundle format that doesn't seem to be supported by SigStore-python at all. You have to explicitly pass `--new-bundle-format` to create compatible signatures.

You also have to explicitly pass `--new-format` when verifying. Otherwise, Cosign will give you a completely confusing message:

Error: bundle does not contain cert for verification, please provide public key

And of course it's quite hard to find any information on this. I've realized it only because I recalled a SigStore-related thread on discuss.python.org, and a single example of using Cosign to verify CPython signatures was given there.

George PearkesJul 23, 2014
INBOX: it's a great day for economics #cosign
Simon JosefssonDec 4, 2024
We have Sigstore `cosign` tool in Debian's NEW queue! Please help test #sigstore #cosign https://lists.debian.org/debian-go/2024/12/msg00005.html
cosign: first binary packages available

TeonMay 26, 2011
#somf wud go pro #cosign RT @ThatBlackman10: #IfSexWasASport the word "whore" and all its variations would be replaced with the word athlete