fix(CALUNGA-214): use public key for Chains provenance verification

ronnll · ralphbean · commit c88aa7c57eb7 · 2026-04-02T16:26:07.000Z
The fetch-chains-provenance step was referencing the private signing
key in k8s://tekton-chains/signing-secrets, which the release service
account does not have access to. Since cosign verify-attestation only
needs the public key, we switch to k8s://openshift-pipelines/public-key
which is the same key used by EC verification.

Signed-off-by: Ronny Lim &lt;rlim@redhat.com&gt;
diff --git a/tasks/managed/extract-py-artifacts/README.md b/tasks/managed/extract-py-artifacts/README.md
@@ -1,6 +1,9 @@
 # extract-py-artifacts
 
 Extract Python packages from OCI artifacts for signing and upload.
+The fetch-chains-provenance step verifies and retrieves Tekton Chains SLSA provenance
+using cosign with the public key from k8s://openshift-pipelines/public-key.
+The pipeline service account must have get access to this secret
 
 ## Parameters
 
diff --git a/tasks/managed/extract-py-artifacts/extract-py-artifacts.yaml b/tasks/managed/extract-py-artifacts/extract-py-artifacts.yaml
@@ -6,6 +6,9 @@ metadata:
 spec:
   description: |
     Extract Python packages from OCI artifacts for signing and upload.
+    The fetch-chains-provenance step verifies and retrieves Tekton Chains SLSA provenance
+    using cosign with the public key from k8s://openshift-pipelines/public-key.
+    The pipeline service account must have get access to this secret
   params:
     - name: SNAPSHOT_PATH
       type: string
@@ -176,7 +179,7 @@ spec:
             --type=slsaprovenance \
             --insecure-ignore-tlog=true \
             --insecure-ignore-sct=true \
-            --key k8s://tekton-chains/signing-secrets \
+            --key k8s://openshift-pipelines/public-key \
             "${IMAGE}" 2>"${COSIGN_STDERR}" | head -1 | jq . > "${PROVENANCE_FILE}"; then
             echo "  Saved Chains provenance to ${PROVENANCE_FILE}"
           else
