-
Notifications
You must be signed in to change notification settings - Fork 506
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
cosigned
should support verifying Fulcio
signatures
#866
Comments
Here's sort of what I'm thinking:
Over time, we can use this configmap to pass additional configuration, including:
... and likely a bunch more (e.g. stuff like cc @dlorenc @dekkagaijin @n3wscott for thoughts |
I guess we could start verifying against Fulcio when no key is specified without the ConfigMap switch too, but I do think a ConfigMap switch is in our not-to-distant future 🤔 |
This change makes it so that when `cosigned` is enabled on a namespace, and no public key is provided the webhook will verify things against the Fulcio root. The basic idea here is that this roughly matches the CLI where omitting the key will verify things against the Fulcio root instead. Related: sigstore#866 Signed-off-by: Matt Moore <mattomata@gmail.com>
This change makes it so that when `cosigned` is enabled on a namespace, and no public key is provided the webhook will verify things against the Fulcio root. The basic idea here is that this roughly matches the CLI where omitting the key will verify things against the Fulcio root instead. Related: sigstore#866 Signed-off-by: Matt Moore <mattomata@gmail.com>
This change makes it so that when `cosigned` is enabled on a namespace, and no public key is provided the webhook will verify things against the Fulcio root. The basic idea here is that this roughly matches the CLI where omitting the key will verify things against the Fulcio root instead. Related: sigstore#866 Signed-off-by: Matt Moore <mattomata@gmail.com>
This change makes it so that when `cosigned` is enabled on a namespace, and no public key is provided the webhook will verify things against the Fulcio root. The basic idea here is that this roughly matches the CLI where omitting the key will verify things against the Fulcio root instead. Related: sigstore#866 Signed-off-by: Matt Moore <mattomata@gmail.com>
This change makes it so that when `cosigned` is enabled on a namespace, and no public key is provided the webhook will verify things against the Fulcio root. The basic idea here is that this roughly matches the CLI where omitting the key will verify things against the Fulcio root instead. Related: #866 Signed-off-by: Matt Moore <mattomata@gmail.com>
I'm going to close this, and we can open a new issue for greater configurability. |
Description
Today the
cosigned
webhook requires folks to setupk8s://cosign-system/verification-key
with the public key that should be used for verification. The webhook passes the followingCheckOpts
:cosign/pkg/cosign/kubernetes/webhook/validation.go
Lines 61 to 62 in 278ad7d
... which includes a
SigVerifier
based on the verification key, which sends us through this path inVerify
:cosign/pkg/cosign/verify.go
Lines 143 to 150 in 278ad7d
... but for Fulcio we want things to follow this path:
cosign/pkg/cosign/verify.go
Lines 151 to 184 in 278ad7d
The text was updated successfully, but these errors were encountered: