You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
SBOM, SLSA provenance, and OSV scanning moved to milestone B — tracker #199.
Non-goals (deferred)
ocx package push --sign (sign-on-push) — v1 flow is sign after push as a separate step; a combined flag is explicitly deferred.
cosign pre-3.0 consumer compat — dropped. Floor is cosign >= 3.0 (referrers-mode default, .sig tags deprecated upstream). OCX is referrers-only; never add a tag-schema fallback. Document the floor in the user guide / threat model.
Notation parallel implementation (cosign-only in v1).
PKCS#11 / YubiKey signing UX (keyless OIDC covers public OCX.sh; hardware keys are enterprise v2 concern).
Goal
Secure defaults for OCX packages: publisher signs after push, consumer verifies by default, typosquat defeated.
ocx package sign/ocx package verify; sigstore-rs, Rekor v1 + TUF-distributed trust root).[trust.policy]inocx.toml— defeats typosquatting.OCX_OFFLINEsemantics,OCX_SIGSTORE_TUF_ROOToverride.Sub-issues
Dependency order (#195 runs parallel to the #194 spike):
[trust.policy]inocx.toml#98 — Identity-pinned verify ([trust.policy])ocx install/ocx pull(policy-gated) #99 — Auto-verify onocx install/ocx pull(policy-gated)External (pending, not milestone-gated):
Threat coverage (post-milestone)
[trust.policy]SBOM, SLSA provenance, and OSV scanning moved to milestone B — tracker #199.
Non-goals (deferred)
ocx package push --sign(sign-on-push) — v1 flow is sign after push as a separate step; a combined flag is explicitly deferred..sigtags deprecated upstream). OCX is referrers-only; never add a tag-schema fallback. Document the floor in the user guide / threat model.Test fixtures
All acceptance tests reuse the fake Fulcio + Rekor + OIDC stack from PR #87 (
test/tests/fixtures/fake_sigstore.py). Fixture extensions kept minimal — reuse over duplication.Done when
task verifygreen.