Blake Burkhart
Blake Burkhart
Yes, addressing #140 will resolve the security impact of this issue. There is already no security risk if an Istio AuthorizationPolicy is applied after authservice and requires a JWT for...
Today the `predicateType` is inside the signed payload, inside the attestation layers themselves. If there are multiple attestation types, it is not possible to pull the manifest and select which...
Also, `cosign verify` should support verification. I think the go api already should "just work" if you specify the roots correctly. Something like: ``` # possibly somewhat confusing: cosign verify...
@dlorenc Do you have a preference for new flags like `--chain` or putting a concatenated cert chain in the `--cert` PEM file?
For actual verification in a Kubernetes cluster I was looking at [Kyverno's image verification](https://github.com/kyverno/kyverno/blob/bd1a145678166dbf9f81cc910e978bc03b58996c/pkg/cosign/cosign.go#L75-L78) support. It doesn't appear to be documented yet, but [its policies now allow specifying `roots:`](https://github.com/kyverno/kyverno/blob/666130bf6c7a7d8181f1e37ebd9b0c31ef947d17/config/crds/kyverno.io_clusterpolicies.yaml#L2108-L2111). Currently...
@haydentherapper I was thinking of working on it some, but I'm still not really too familiar with the codebase yet, please go ahead and start it. I'll see if I...
Thanks for working on all the changes to implement this! I think this should enable cosign to support a lot of organizational use cases where internal PKI exists. I left...
I think the bug may be that `cosign pkcs11-tool list-tokens` doesn't honor `COSIGN_PKCS11_MODULE_PATH`, only `--module-path`. I noticed this when testing myself: ``` # These work fine: cosign pkcs11-tool list-tokens --module-path=/Library/OpenSC/lib/onepin-opensc-pkcs11.so...
An attractive feature of x509 is it could allow signing with a CA signed certificate (not self-signed like the current examples). A private self signed CA could be used to...
@dlorenc Yep, I'm loosely aware of sigstore. It seems like an interesting solution. Something along the lines of "sigstore without fulcio" might make sense for enterprise or CI environments. Enterprises...