openshift · mramendi · May 15, 2025
diff --git a/...les/op-chains-generating-x509-secret.adoc → ...s/op-chains-generating-cosign-secret.adoc b/...les/op-chains-generating-x509-secret.adoc → ...s/op-chains-generating-cosign-secret.adoc
@@ -2,24 +2,10 @@
 // * secure/using-tekton-chains-for-openshift-pipelines-supply-chain-security.adoc
 
 :_mod-docs-content-type: PROCEDURE
-[id="chains-generating-x509-secret_{context}"]
-= Generating the x509 key pair by using the TektonConfig CR
+[id="chains-generating-cosign-secret_{context}"]
+= Generating the cosign key pair by using the TektonConfig CR
 
-To use the `x509` signing scheme for {tekton-chains} secrets, you must generate the `x509` key pair.
-
-You can generate the `x509` key pair by setting the `generateSigningSecret` field in the `TektonConfig` custom resource (CR) to `true`. 
-The {pipelines-title} Operator generates an `ecdsa` type key pair: an `x509.pem` private key and an `x509-pub.pem` public key. The Operator stores the keys in the `signing-secrets` secret in the `openshift-pipelines` namespace.
-
-[WARNING]
-====
-If you set the `generateSigningSecret` field from `true` to `false`, the {pipelines-title} Operator overrides and empties any value in the `signing-secrets` secret. Ensure that you store the `x509-pub.pem` public key outside of the secret to protect the key from the deletion. The Operator can use the key at a later stage to verify artifact attestations.
-====
-
-The {pipelines-title} Operator does not provide the following functions to limit potential security issues:
-
-* Key rotation 
-* Auditing key usage
-* Proper access control to the key
+To use the `cosign` signing scheme for {tekton-chains} secrets, you can generate a `cosign` key pair that uses ECDSA encryption by setting the `generateSigningSecret` field in the `TektonConfig` custom resource (CR) to `true`.
 
 .Prerequisites
 
@@ -37,7 +23,7 @@ $ oc edit TektonConfig config
 
 . In the `TektonConfig` CR, set the `generateSigningSecret` value to `true`:
 +
-.Example of creating an ecdsa key pair by using the TektonConfig CR
+.Example of creating an ECDSA cosign key pair by using the TektonConfig CR
 [source,yaml]
 ----
 apiVersion: operator.tekton.dev/v1
@@ -52,3 +38,26 @@ spec:
 # ...
 ----
 <1> The default value is `false`. Setting the value to `true` generates the `ecdsa` key pair.
+
+.Result
+
+The {pipelines-shortname} Operator generates an `ecdsa` type `cosign` key pair and stores it in the `signing-secrets` secret in the `openshift-pipelines` namespace. The secret includes the following files:
+
+* `cosign.key`: The private key
+* `cosign.password`: The password for decrypting the private key
+* `cosign.pub` The public key
+
+If a `signing-secrets` secret already exists, the Operator does not overwrite the secret.
+
+
+
+[WARNING]
+====
+If you set the `generateSigningSecret` field from `true` to `false`, the {pipelines-title} Operator overrides and empties any value in the `signing-secrets` secret. Ensure that you store the `x509-pub.pem` public key outside of the secret to protect the key from the deletion. The Operator can use the key at a later stage to verify artifact attestations.
+====
+
+The {pipelines-title} Operator does not provide the following functions to limit potential security issues:
+
+* Key rotation
+* Auditing key usage
+* Proper access control to the key
diff --git a/modules/op-chains-signing-secrets-cosign.adoc b/modules/op-chains-signing-secrets-cosign.adoc
@@ -4,7 +4,7 @@
 :_mod-docs-content-type: PROCEDURE
 
 [id="chains-signing-secrets-cosign_{context}"]
-= Signing with the cosign tool
+= Manually generating signing secrets with the cosign tool
 
 You can use the `cosign` signing scheme with {tekton-chains} using the `cosign` tool.
 

diff --git a/modules/op-chains-signing-secrets-skopeo.adoc b/modules/op-chains-signing-secrets-skopeo.adoc
@@ -4,13 +4,13 @@
 :_mod-docs-content-type: PROCEDURE
 
 [id="chains-signing-secrets-skopeo_{context}"]
-= Signing with the skopeo tool
+= Manually generating signing secrets with the skopeo tool
 
 You can generate keys using the `skopeo` tool and use them in the `cosign` signing scheme with {tekton-chains}.
 
 .Prerequisites
 
-* You installed the link:https://github.com/containers/skopeo[skopeo] tool.
+* You installed the `skopeo` package on your Linux system.
 
 .Procedure
 

diff --git a/secure/using-tekton-chains-for-openshift-pipelines-supply-chain-security.adoc b/secure/using-tekton-chains-for-openshift-pipelines-supply-chain-security.adoc
@@ -26,7 +26,7 @@ include::modules/op-creating-mounting-kms-authentication-token-secret.adoc[level
 include::modules/op-enabling-tekton-chains-to-operate-only-in-selected-namespaces.adoc[leveloffset=+2]
 
 include::modules/op-signing-secrets-in-tekton-chains.adoc[leveloffset=+1]
-include::modules/op-chains-generating-x509-secret.adoc[leveloffset=+2]
+include::modules/op-chains-generating-cosign-secret.adoc[leveloffset=+2]
 include::modules/op-chains-signing-secrets-cosign.adoc[leveloffset=+2]
 include::modules/op-chains-signing-secrets-skopeo.adoc[leveloffset=+2]
 include::modules/op-chains-resolving-existing-secret.adoc[leveloffset=+2]