Skip to content

Improve cosign configuration options #1103

New issue
Jump to bottom
New issue
Jump to bottom
Open
Open
Improve cosign configuration options#1103
Labels
area/helmHelm related issues and pull requestsarea/ociOCI related issues and pull requestsenhancementNew feature or request
@hiddeco

Description

@hiddeco
hiddeco
opened on May 22, 2023

For future improvements these are the things I think we should address:

  • appending signature to transparency log is the default in v2 (where it was only done for keyless in v1) and we can opt out. We should provide that option.
  • verify image using keyless verification with the given certificate chain and identity parameters, without Fulcio roots (for BYO PKI): cosign verify --cert-chain chain.crt --certificate-oidc-issuer https://issuer.example.com --certificate-identity [email protected] <IMAGE>
  • k8s-keychain, whether to use the kubernetes keychain instead of the default keychain (supports workload identity).
  • rekor-url, for private rekor instances
  • signature-digest-algorithm, the default is sha-256

There is also the topic of sbom attachement but there is different discussion for that.

Originally posted by @souleb in #1096 (comment)

Metadata

Assignees

No one assigned

    Labels

    area/helmHelm related issues and pull requestsarea/ociOCI related issues and pull requestsenhancementNew feature or request

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions