cosign icon indicating copy to clipboard operation
cosign copied to clipboard

Published 20 hours ago verified publisher icon sigstore

cosign sign with hashivault as KMS without transit

Open VenutNSA opened this issue 1 year ago • 1 comments

Description

Hey, everyone!

I have a need for static key storage without using transit encryption. Is there any method to force cosign to use the signing key just from the KV storage?

cosign sign --tlog-upload=false --key hashivault://$KEY $IMAGE

VenutNSA avatar Mar 20 '24 12:03 VenutNSA

I don't think this is possible or will be supported/implemented in the future. But you can do the following :

  • Generate key-pair via cosign and save them locally
  • Create secrets as kv in Vault containing the keys
  • Grab the keys from Vault like any normal secret
  • Sign or verify with cosign.

hasanhakkaev avatar Jul 23 '24 08:07 hasanhakkaev

Why does cosign generate-key-pair provide the option for --kms hashivault if it doesn't support this use case? https://github.com/sigstore/cosign/blob/main/doc/cosign_generate-key-pair.md

This blog is old, but it appears using keys in the KV store used to work. Am I misunderstanding something? https://chair6.net/using-cosign-and-vault-and-fulcio-and-rekor-to-sign-binaries.html

chizou avatar Dec 23 '24 21:12 chizou