You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
When using generator_generic_slsa3 in the workflow, the last part of the "generator/Create and sign provenance" step outputs "Uploaded signed attestation to rekor with UUID". I would like to use this UUID value as input in a subsequent job. How should I do this?
The text was updated successfully, but these errors were encountered:
Can you tell us more about your use-case for outputting the rekor UUID as a workflow output?
We need to search for unique logs in sigstore using the rekor entry UUID to verify provenance. Using the hash alone isn't enough to identify the provenance generated by the current workflow, especially if the deployment fails or multiple people deploy the same code. Therefore, the rekor Entry UUID as a workflow output is crucial to accurately identify the generated provenance.
For Sigstore, we want to discourage doing live lookups in the log in favor of verifying persisted inclusion proofs offline. We've filed an issue (#3750) to track support for this. In the meantime, adding the Rekor entry UUID as output seems reasonable.
When using generator_generic_slsa3 in the workflow, the last part of the "generator/Create and sign provenance" step outputs "Uploaded signed attestation to rekor with UUID". I would like to use this UUID value as input in a subsequent job. How should I do this?
The text was updated successfully, but these errors were encountered: