Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Integrate sigstore's root of trust into cosign #389

Closed
dekkagaijin opened this issue Jun 24, 2021 · 4 comments
Closed

Integrate sigstore's root of trust into cosign #389

dekkagaijin opened this issue Jun 24, 2021 · 4 comments

Comments

@dekkagaijin
Copy link
Member

Allows for us to validate cert chains and signatures for arbitrary images and binaries.

TODO: decide on what the UX should look like for keyless attestation of signatures
@dekkagaijin dekkagaijin added this to the v1.0.0 milestone Jun 24, 2021
@dlorenc
Copy link
Member

dlorenc commented Jun 25, 2021

cc @asraa any thoughts here?

@asraa
Copy link
Contributor

asraa commented Jun 25, 2021
edited
Loading

Hm! Interesting good point. Here's what you could do:

With the client portion of the demo code #366:
We can fetch and validate the targets the root of trust signed (e.g. fulcio root ca and rekor public key hardcoded in cosign) before using them. Where would we want to place them the TUF metadata though?

  • on a registry like the demo PR?
  • we could fetch directly with HTTP on GitHub as well

In order to facilitate all of that people would need to provide / trust some initial root keys they trust (to bootstrap all of this anyway). That needs a source of truth/provision as well.

Edit: But besides facilitating the client to fetching the targets with the initial root, I don't think anything else in the UX needs to change

@asraa
Copy link
Contributor

asraa commented Jun 30, 2021

We can fetch and validate the targets the root of trust signed (e.g. fulcio root ca and rekor public key hardcoded in cosign) before using them.

If it makes sense to pin the initial root in cosign and add verification for Fulcio/Rekor keys and certs, let me know! I can at least use an HTTP fetch.

@dlorenc dlorenc closed this as completed Jul 12, 2021
@dlorenc dlorenc reopened this Jul 29, 2021
@dlorenc
Copy link
Member

dlorenc commented Jul 29, 2021

Don't know how I closed this one by accident!

@dekkagaijin could you link your doc here when it's ready?

@cpanato cpanato modified the milestones: v1.0.0, v1.1.0 Aug 4, 2021
@asraa asraa mentioned this issue Aug 4, 2021
Merged
@dlorenc dlorenc mentioned this issue Aug 15, 2021
Closed
@cpanato cpanato modified the milestones: v1.1.0, v1.2.0 Aug 26, 2021
@cpanato cpanato removed this from the v1.2.0 milestone Sep 15, 2021
@dlorenc dlorenc closed this as completed Dec 19, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@dekkagaijin @dlorenc @cpanato @asraa