Skip to content

[RFC-0003] Verify OCI artifacts with cosign static keys #863

New issue
New issue
Closed
#876
Closed
[RFC-0003] Verify OCI artifacts with cosign static keys#863
#876
Assignees
developer-guyrashedkvm
Labels
area/ociOCI related issues and pull requests
Milestone
 
Helm GA
@stefanprodan

Description

@stefanprodan
stefanprodan
opened on Aug 12, 2022

Implement cosign verification as specified in RFC-0003 Flux OCI support for Kubernetes manifests:

apiVersion: source.toolkit.fluxcd.io/v1beta2
kind: OCIRepository
spec:
  interval: 10m
  url: oci://ghcr.io/org/my-app-config
  ref:
    semver: "1.x"
  verify:
    provider: cosign
    secretRef:
      name: cosign-keys
---
apiVersion: v1
kind: Secret
metadata:
  name: cosign-keys
stringData:
  key1.pub: "<public static key1>"
  key2.pub: "<public static key2>"

The RFC mentions only cosgin static keys, where the given secret contains one or more public keys. Besides static keys, cosgin supports keyless signing using OIDC such as GitHub and Google. We need to decide how to enable keyless verification, but for now we should implement the RFC spec.

Metadata

Metadata

Assignees

Labels

area/ociOCI related issues and pull requests

Type

No type

Projects

Maintainers' Focus

Status

Done

Milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions