d9f7b922d0
The main change is previously we always instantiated a TUF client for the public good and GitHub Sigstore instances. Now we only instantiate the TUF client we need, or no client if we are provided a custom trusted root. Note that `gh attestation verify` still requires authentication, that is being addressed in https://github.com/cli/cli/pull/8995. Some other changes are coming along for the ride: - Set TUF cache validity to 1 day, to help serial verification - Attempt to infer verification policy based on custom trusted root - Make command output more friendly if you leave off required arguments Signed-off-by: Zach Steindler <steiza@github.com> |
||
|---|---|---|
| .. | ||
| bundle.go | ||
| bundle_test.go | ||
| inspect.go | ||
| inspect_test.go | ||
| options.go | ||
| policy.go | ||