0ec49784b5
This commit properly sets `IgnoreTlog` to `true` when a public key is provided to check the signature against, which matches the (silent) default behavior from cosign v1. However, during this exercise it has become apparant that this assumption isn't necessarily true. As you can theoretically have a custom key and a tlog entry. Given this, we should inventarise the possible configuration options and the potential value they have to users (e.g. defining a custom Rekor URL seems to be valuable as well), and extend our API to facilitate these needs. In addition to the above, the CTLog public keys are now properly retrieved to avoid a `none of the CTFE keys have been found` error. Signed-off-by: Hidde Beydals <hidde@hhh.computer> |
||
|---|---|---|
| .. | ||
| auth.go | ||
| verifier.go | ||
| verifier_test.go | ||