chainloop icon indicating copy to clipboard operation
chainloop copied to clipboard

Published 20 hours ago verified publisher icon chainloop-dev

Add Transparency Log viewing (Rekor based) to Chainloop

Open zmarouf opened this issue 1 year ago • 0 comments

The current tool of choice to browse the TLog is https://rekor.tlog.dev/ I believe Chainloop could provide an alternative that is more in line with its scope of contract and materials verification. We could, for example, combine the cosign verify-attestation CLI command with the Chainloop-centric contract verification flow. In cosign, for a Github Action Workflow, this looks like:

Verification for my-container@sha256:<digest>
The following checks were performed on each of these signatures:
  - The cosign claims were validated
  - Existence of the claims in the transparency log was verified offline
  - The code-signing certificate was verified using trusted certificate authority certificates
Certificate subject:  <Subject>
Certificate issuer URL:  <OIDC Issuer URL>
GitHub Workflow Trigger: workflow_dispatch
GitHub Workflow SHA: <source code commit hash>
GitHub Workflow Name: <Workflow name>
GitHub Workflow Trigger: <Workflow repository>
GitHub Workflow Ref: <Workflow reference>

zmarouf avatar Mar 24 '23 02:03 zmarouf