source-controller icon indicating copy to clipboard operation
source-controller copied to clipboard

Published 20 hours ago verified publisher icon fluxcd

Improve cosign configuration options

Open hiddeco opened this issue 1 year ago • 2 comments

For future improvements these are the things I think we should address:

  • appending signature to transparency log is the default in v2 (where it was only done for keyless in v1) and we can opt out. We should provide that option.
  • verify image using keyless verification with the given certificate chain and identity parameters, without Fulcio roots (for BYO PKI): cosign verify --cert-chain chain.crt --certificate-oidc-issuer https://issuer.example.com --certificate-identity [email protected] <IMAGE>
  • k8s-keychain, whether to use the kubernetes keychain instead of the default keychain (supports workload identity).
  • rekor-url, for private rekor instances
  • signature-digest-algorithm, the default is sha-256

There is also the topic of sbom attachement but there is different discussion for that.

Originally posted by @souleb in https://github.com/fluxcd/source-controller/issues/1096#issuecomment-1556769007

hiddeco avatar May 22 '23 09:05 hiddeco