ratify icon indicating copy to clipboard operation
ratify copied to clipboard
verified publisher icon ratify-project

Fix cosign rekor URL default

Open akashsinghal opened this issue 2 years ago • 1 comments

What happened in your environment?

The docs for cosign mention the default rekorURL is the sigstore one. However, the value is not truly default. It must be set currently.

The verifier should be updated to set the default AND the docs for now should be updated with the current behavior.

What did you expect to happen?

No response

What version of Kubernetes are you running?

No response

What version of Ratify are you running?

No response

Anything else you would like to add?

No response

Are you willing to submit PRs to contribute to this bug fix?

  • [x] Yes, I am willing to implement it.

akashsinghal avatar Nov 06 '23 18:11 akashsinghal

@yizha1 @susanshi I'm thinking we move this to future as well. For time being, I have updated the documentation to reflect the requirement to specify the full rekorURL if using keyless verification. We can bundle this with the other cosign improvements needed. Does that suffice?

akashsinghal avatar Nov 08 '23 18:11 akashsinghal

Closing since this value is legacy behavior and will not be updated. User's should migrate to TrustPolicy in Cosign verifier which will have a keyless section.

akashsinghal avatar May 16 '24 18:05 akashsinghal