kitops icon indicating copy to clipboard operation
kitops copied to clipboard
Published 1 month ago verified publisher icon kitops-ml

Sign the Vibes

Open gorkem opened this issue 7 months ago • 3 comments

Describe the problem you're trying to solve Many users already rely on Cosign for signing and attesting OCI artifacts. Today you can use it to sign KitOps ModelKits - but it's a two step / two tool process.

Describe the solution you'd like To provide a seamless end-to-end experience within KitOps, we should add analogous kit sign and kit attest subcommands to the kit CLI. This will allow users to sign ModelKits and attach attestations without switching tools.

New subcommands:

  • kit sign
  • kit attest
  • kit verify

Follow the same flag semantics as cosign for sing and attest but verify should cover both ModelKit signing and attestation verification.

gorkem avatar May 01 '25 14:05 gorkem

Would like to work on this.

srikary12 avatar May 11 '25 08:05 srikary12

Sure. Let me know what you are thinking.

gorkem avatar May 12 '25 15:05 gorkem

I would like to work on this issue. I went through the signing flow with cosign and verifying the signature. Also should the signature be published to the public transparency log by default (via Rekor), or should users be allowed to choose whether to publish or not?

cr3ativ3cod3r avatar Nov 01 '25 15:11 cr3ativ3cod3r