Allow keyed signing without writing to disk #1776
Labels
enhancement
New feature or request
Comments
|
i like env:// |
|
This is a great option for avoiding on-disk creds in CI, ironically for our DoD customers we are now having to work the opposite direction thanks to https://stigviewer.com/stig/kubernetes/2021-04-14/finding/V-242415. Basically the DoD believes env var secrets are evil now 😭. We ended up using KMS for CI. |
This was referenced Apr 23, 2022
Great, draft PR #1794 does that. I need to wait for sigstore/sigstore#407 to get merged first. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Right now,
cosign sign --keytakes a file or a KMS URL. A file isn't 100% ideal for CI, since you don't want to chance other build steps (which run with the same permissions usually) to be able to read it.Specifically, consider the scenario where the private key comes into GitHub actions as a secret. It'll be exposed to the build step as an environment variable.
Two possible solutions come to mind:
env://handler for cosign keyscosign sign --key env://MY_ENV_VAR--keytake-to indicate STDIN. This may cause issues becausecosign signsometimes prompts. Maybecosign sign --key - --forcewould work here.The text was updated successfully, but these errors were encountered: