Add blog post: Keyless Security with Tekton Chains#731
Add blog post: Keyless Security with Tekton Chains#731anithapriyanatarajan wants to merge 1 commit into
Conversation
05e3daf to
14cd809
Compare
|
/kind documentation |
14cd809 to
b664704
Compare
|
@vdemeester: GitHub didn't allow me to request PR reviews from the following users: arewm, jkhelil. Note that only tektoncd members and repo collaborators can review this PR, and authors cannot review their own PRs. DetailsIn response to this: Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: vdemeester The full list of commands accepted by this bot can be found here. The pull request process is described here DetailsNeeds approval from an approver in each of these files:
Approvers can indicate their approval by writing |
arewm
left a comment
There was a problem hiding this comment.
I added some comments and included some from Claude as well.
One thing that I struggle with, especially with how this post ends, is how should consumers treat Chains signatures? Chains has no ability to gate its signing based on whether artifacts are good/bad... this results in similar confusion to recent attacks where compromised npm packages had valid SLSA provenance.
When talking about identities, attestations, and signatures, we need to make sure we don't overly-trust the identity/metadata. I view a signature as essentially an "empty" VSA ... but because it is empty, consumers have no ability to consume it to gate anything.
94830ea to
3b11a01
Compare
Adds a polished blog post explaining keyless signing with Tekton Chains, including how the Fulcio/Rekor OIDC flow works inside Tekton, configuration, verification, and a mermaid architecture diagram of the signing flow.
3b11a01 to
2569826
Compare
|
/hold |
Changes
Adds a new blog post: Keyless Security with Tekton Chains.
The post explains keyless signing with Tekton Chains in practical terms:
File added:
content/en/blog/2026/keyless-security-with-tekton-chains/index.md