policy-controller icon indicating copy to clipboard operation
policy-controller copied to clipboard
verified publisher icon sigstore

RFE: Allow verifying signature using certificates in annotations

Open maxking opened this issue 3 years ago • 3 comments

Description

I am not sure if it is already possible to do so in policy-controller, but I am trying to figure out what it the best way to verify a container image that is signed using a custom x.509 certificate with the cert and cert chain embedded in the signature, without having to depend on a tlog.

With cosign CLI, I can do something along the lines of:

COSIGN_EXPERIMENTAL=1 SIGSTORE_ROOT_FILE=Root_CA.crt.pem cosign verify --rekor-url="" $IMAGE:$TAG

Version

1.12.1

maxking avatar Sep 25 '22 18:09 maxking

We're moving to a world where you can specify multiple TUF roots which would allow you to do this. There's quite a bit of underlying work to get there, but we're making progress :)

Today you can only have one TUF root. So if you're only verifying against your private root of trust, you would have to specify a custom TUF root which would contain your Root_CA.crt.pem

https://docs.sigstore.dev/policy-controller/installation

vaikas avatar Sep 29 '22 17:09 vaikas

I think we are fine with only one TUF root, but I am not sure how TUF root compares to the SIGSTORE_ROOT_FILE and/or other certificate verfication mechanism. I tried to read through the docs but didn't help much.

maxking avatar Sep 30 '22 04:09 maxking

If you launch PolicyController with that env variable it should work until next release.

vaikas avatar Oct 05 '22 21:10 vaikas