cosign icon indicating copy to clipboard operation
cosign copied to clipboard

Published 20 hours ago verified publisher icon sigstore

add generic webhook impl for verifying attestation integrity in addition to CUE or Rego policies

Open developer-guy opened this issue 3 years ago • 2 comments

Description In the meantime, cosign has two different ways of verifying the integrity of attestations, CUE, or Rego policies. In this issue, I'm proposing to add a new way of verifying them by calling some external service which makes a decision whether an attestation is valid. IMHO, it adds extra flexibility to a system for people who might not want to write CUE or Rego policies.

WDYT @Dentrax @bobcallaway @dlorenc?

developer-guy avatar Jan 18 '22 18:01 developer-guy

IMHO, it adds extra flexibility to a system for people who might not want to write CUE or Rego policies.

Is there a specific system or use case in mind? Webhooks as extensibility always feels like a giant smell to me

dlorenc avatar Jan 18 '22 18:01 dlorenc

@developer-guy @dlorenc We've thought (@vaikas and myself) about using YAML definitions such as the one defined for the ClusterImagePolicy. Therefore users could use cosign verify -f cip.yaml <image> to verify if an image satisfies the policy defined via a yaml file.

hectorj2f avatar Apr 26 '22 09:04 hectorj2f