From 1036fa734c223100a7ac0843b45f566b3b841935 Mon Sep 17 00:00:00 2001
From: Dylan Richardson <Dylan@Neatmaps.com>
Date: Sun, 5 Nov 2023 21:35:29 -0600
Subject: [PATCH] update pkcs11 docs with cert ignore instructions (#266)

Signed-off-by: Dylan Richardson <dylan.richardson@mongodb.com>
---
 content/en/signing/pkcs11.md | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/content/en/signing/pkcs11.md b/content/en/signing/pkcs11.md
index 1e687bd3..0832a734 100644
--- a/content/en/signing/pkcs11.md
+++ b/content/en/signing/pkcs11.md
@@ -98,3 +98,10 @@ The following checks were performed on each of these signatures:
 
 [{"critical":{"identity":{"docker-reference":"gcr.io/dlorenc-vmtest2/demo"},"image":{"docker-manifest-digest":"sha256:410a07f17151ffffb513f942a01748dfdb921de915ea6427d61d60b0357c1dcd"},"type":"cosign container image signature"},"optional":null}]
 ```
+
+If your PKCS11 key has an associated x509 certificate, `cosign` will attach the certificate to your signature by default. If you would like `cosign` to ignore these certificates and not attach them, you can set the `COSIGN_PKCS11_IGNORE_CERTIFICATE` environment variable to `1`:
+
+```shell
+$ COSIGN_PKCS11_IGNORE_CERTIFICATE=1 cosign sign --key "<PKCS11_URI>" $IMAGE_DIGEST
+Pushing signature to: gcr.io/vmtest2/demo:sha256-410a07f17151ffffb513f942a01748dfdb921de915ea6427d61d60b0357c1dcd.sig
+```