-
Notifications
You must be signed in to change notification settings - Fork 1
Back to Milestones
Signing & Trust v1
OpenJul 10, 2026
No due date
•Last updated End-to-end keyless Sigstore signing and verification for OCX packages: real Sign/VerifyPipeline via sigstore-rs (Rekor v1 + TUF trust root day one; Rekor v2 as delta), registry referrers capability handling with clean errors, identity-pinned [trust.policy] in ocx.toml, offline/air-gapped trust-root story, policy-gated auto-verify on install/pull, cosign v3 interop. Secure-defaults story: signed after push, verified by default, typosquatting defeated. Defers: Notation, PKCS#11/YubiKey, private TUF root, rebuilders, SLSA VSA, cosign pre-3.0 consumer compat.
20% complete
List view
0 of 8 selected 0 issues of 8 selected
Tracking: Signing & Trust v1
area/ociSubsystem: ociSubsystem: ocisecuritySecurity-relevant change or hardeningSecurity-relevant change or hardeningStatus: Open.#24 In ocx-sh/ocx;feat(cli,oci): OCI referrers sign + verify (slice 1)
area/ociSubsystem: ociSubsystem: ocisecuritySecurity-relevant change or hardeningSecurity-relevant change or hardeningStatus: Open (in progress).Identity-pinned verify:
[trust.policy]inocx.tomlarea/ociSubsystem: ociSubsystem: ocipriority/highShould land in next releaseShould land in next releasesecuritySecurity-relevant change or hardeningSecurity-relevant change or hardeningStatus: Open.#98 In ocx-sh/ocx;Auto-verify on
ocx install/ocx pull(policy-gated)area/package-managerSubsystem: package-managerSubsystem: package-managerpriority/highShould land in next releaseShould land in next releasesecuritySecurity-relevant change or hardeningSecurity-relevant change or hardeningStatus: Open.#99 In ocx-sh/ocx;Wire referrers capability cache into sign/verify pipelines (clean error, no tag fallback)
area/ociSubsystem: ociSubsystem: ociStatus: Open.#106 In ocx-sh/ocx;Implement sign/verify pipeline via sigstore-rs (slice 2)
area/ociSubsystem: ociSubsystem: ocipriority/highShould land in next releaseShould land in next releasesecuritySecurity-relevant change or hardeningSecurity-relevant change or hardeningStatus: Open.#194 In ocx-sh/ocx;Acceptance harness: referrers-capable registry (registry:3 or zot)
area/testsSubsystem: testsSubsystem: testsStatus: Open.#195 In ocx-sh/ocx;Offline and air-gapped verify: trust-root cache + refresh
area/ociSubsystem: ociSubsystem: ocisecuritySecurity-relevant change or hardeningSecurity-relevant change or hardeningStatus: Open.#196 In ocx-sh/ocx;