github/slsa-verifier
1
0
Fork 0
mirror of https://github.com/slsa-framework/slsa-verifier.git synced 2026-05-16 05:26:34 +00:00
Code Issues Packages Projects Releases Wiki Activity

reword simple hash

Browse Source 
Signed-off-by: Ramon Petgrave <ramon.petgrave64@gmail.com>
This commit is contained in:
Ramon Petgrave
2024-06-22 00:39:13 +00:00
parent b9c6de5635
commit f3b63b7194
1 changed files with 1 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
README.md
View File

@@ -489,8 +489,7 @@ accomodate subjects that are not simple-files.
This experimental support does not work yet with VSAs wrapped in Sigstore bundles, only with simple DSSE envelopes.
With that, we allow the user to pass in the public key.
Note that if the DSSE Envelope `signatures` specifies a `keyid` that is not a simple hash of the key (not a well-known identifier, e.g, `my-kms:prod-vsa-key`), then you
must supply the `--public-key-id` cli option.
Note that if the DSSE Envelope `signatures` specifies a `keyid` that is not a unpadded base64 encoded sha256 hash the key, like `sha256:abc123...` (not a well-known identifier, e.g, `my-kms:prod-vsa-key`), then you must supply the `--public-key-id` cli option.
To verify VSAs, invoke like this