Create attestation log integration
For the non-interactive signing environment (#34) we want to add created signatures to an attestation log.
A simple solution may involve using a dedicated git repository to which the signing environment is able to push (signed) commits, that contain information on created signatures. However, integration with existing solutions, such as rekor as well as best practices around their use need to be evaluated before evaluating a custom solution.
- received metadata (i.e. file name, hash) of the file being signed
- the name of the user that logged in and requested the signature
- the base64 encoded raw cryptographic signature
Edited by David Runge