Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Improve cosign configuration options #1103

Open
hiddeco opened this issue May 22, 2023 · 2 comments
Open

Improve cosign configuration options #1103

hiddeco opened this issue May 22, 2023 · 2 comments
Labels
area/helm Helm related issues and pull requests area/oci OCI related issues and pull requests enhancement New feature or request

Comments

@hiddeco
Copy link
Member

hiddeco commented May 22, 2023

For future improvements these are the things I think we should address:

  • appending signature to transparency log is the default in v2 (where it was only done for keyless in v1) and we can opt out. We should provide that option.
  • verify image using keyless verification with the given certificate chain and identity parameters, without Fulcio roots (for BYO PKI): cosign verify --cert-chain chain.crt --certificate-oidc-issuer https://issuer.example.com --certificate-identity [email protected] <IMAGE>
  • k8s-keychain, whether to use the kubernetes keychain instead of the default keychain (supports workload identity).
  • rekor-url, for private rekor instances
  • signature-digest-algorithm, the default is sha-256

There is also the topic of sbom attachement but there is different discussion for that.

Originally posted by @souleb in #1096 (comment)

@hiddeco hiddeco added enhancement New feature or request area/helm Helm related issues and pull requests area/oci OCI related issues and pull requests labels May 22, 2023
@timaebi
Copy link

timaebi commented Oct 28, 2023

Adding options to the CRD to verify the oidc issuer and the certificate identity would be very helpful.

@stefanprodan
Copy link
Member

@timaebi see #1250

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
area/helm Helm related issues and pull requests area/oci OCI related issues and pull requests enhancement New feature or request
Projects
None yet
Development

No branches or pull requests

3 participants