slsa-github-generator icon indicating copy to clipboard operation
slsa-github-generator copied to clipboard

Published 20 hours ago verified publisher icon slsa-framework

[docs] Verification with Connaisseur

Open ianlewis opened this issue 3 years ago • 4 comments
trafficstars

Document examples using Connaisseur to verify provenance.

ianlewis avatar Jul 21 '22 08:07 ianlewis

Unfortunately it looks like keyless is not yet supported (https://github.com/sse-secure-systems/connaisseur/issues/141).

Also, it seems, based on the docs, that Connaisseur will only verify signatures created via cosign sign and doesn't support provenance signed and uploaded by cosign attest.

ianlewis avatar Jul 21 '22 09:07 ianlewis

do you know where connaisseur keep the signature? We could have an option signing-format: cosign, raw, etc

laurentsimon avatar Jul 21 '22 20:07 laurentsimon

Based on the docs, it seems connaisseur uses the signature as stored by cosign sign. So signature would be stored in the registry. But, right now it doesn't support keyless so you need to set the public key to use for validation in a customvalidator custom resource. https://sse-secure-systems.github.io/connaisseur/v2.6.1/validators/sigstore_cosign/#basic-usage

ianlewis avatar Jul 21 '22 22:07 ianlewis

I think we are blocked on connaisseur supporting keyless and SLSA for now so I'll remove this from our milestone.

ianlewis avatar Sep 22 '22 00:09 ianlewis