Skip to content
Back to Milestones

Signing & Trust v1

Open
No due date
Last updated Jul 10, 2026

End-to-end keyless Sigstore signing and verification for OCX packages: real Sign/VerifyPipeline via sigstore-rs (Rekor v1 + TUF trust root day one; Rekor v2 as delta), registry referrers capability handling with clean errors, identity-pinned [trust.policy] in ocx.toml, offline/air-gapped trust-root story, policy-gated auto-verify on install/pull, cosign v3 interop. Secure-defaults story: signed after push, verified by default, typosquatting defeated. Defers: Notation, PKCS#11/YubiKey, private TUF root, rebuilders, SLSA VSA, cosign pre-3.0 consumer compat.

20% complete

List view