Fulcio signing in Chains#147
Conversation
| // KMS | ||
| kmsSignerKMSRef = "signers.kms.kmsref" | ||
| // Fulcio | ||
| x509SignerFulcioEnabled = "signers.x509.fulcio.enabled" |
There was a problem hiding this comment.
Should we have a way to specify the URL for fulcio?
There was a problem hiding this comment.
Also maybe a way to specify how to get auth (right now google, but going forward SPIFFE?)
There was a problem hiding this comment.
Should we have a way to specify the URL for fulcio?
The cosign library we use for fulcio signing depends on setting the FULCIO_ADDRESS environment variable, so we'd probably want to add support for passing it as an arg or smth first. Then we could add signers.x509.fulcio.address which defaults to the prod one.
Also maybe a way to specify how to get auth (right now google, but going forward SPIFFE?)
yah that's a good idea. I'll add in signers.x509.fulcio.auth
|
LGTM! Squash and we can merge! |
This PR adds support for signing with a cert from Fulcio & stores the cert alongside the signature for each backend
|
/lgtm |
|
/approve |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: dlorenc The full list of commands accepted by this bot can be found here. The pull request process is described here DetailsNeeds approval from an approver in each of these files:
Approvers can indicate their approval by writing |
built off of and resolved merge conflict in #119
This PR adds support for signing with a cert from Fulcio & stores the cert alongside the signature for each backend
sample completed TaskRun:
Details