New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support for CirleCI #1235

Closed

fproulx-boostsecurity opened this issue Jun 19, 2023 · 1 comment

Labels

question

fproulx-boostsecurity commented Jun 19, 2023

Question
Given that CircleCI finally added the ability to specific a custom audience https://circleci.com/docs/api/v2/index.html#operation/PatchOrgClaims . Does it mean that cosign should work now ? It appears though, that given they simply pass the the token as env var in the job (unlike GitHub, looks like there is currently no way for a job to dynamically craft a new token with custom audience). https://circleci.com/docs/openid-connect-tokens/#format-of-the-openid-connect-id-token

So my understanding, is that we can set it to either a static value sigstore or an array that contains sigstore.

Does fulcio support list of audiences ?

The text was updated successfully, but these errors were encountered:

fproulx-boostsecurity added the question label

Contributor

haydentherapper commented Jun 19, 2023

Dup of #591

haydentherapper closed this as not planned

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment