Add two env variables. One for using Rekor public key from OOB and one for fetching it from Rekor server #1610
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
one for fetching the API from the Rekor API. Signed-off-by: Ville Aikas <vaikas@chainguard.dev>
dlorenc
approved these changes
Mar 16, 2022
vaikas
added a commit
to vaikas/scaffolding
that referenced
this pull request
Mar 16, 2022
Add `verify-job` job which will run cosign verify. Bump Fulcio to v0.2.0 release. Update cosign containers to latest CI builds to pick up sigstore/cosign#1610 Signed-off-by: Ville Aikas <vaikas@chainguard.dev>
vaikas
added a commit
to sigstore/scaffolding
that referenced
this pull request
Mar 16, 2022
* Change job `check-oidc` name to `sign-job`. Add `verify-job` job which will run cosign verify. Bump Fulcio to v0.2.0 release. Update cosign containers to latest CI builds to pick up sigstore/cosign#1610 Signed-off-by: Ville Aikas <vaikas@chainguard.dev> * Forgot to copy and use fulcio public key in verify. Signed-off-by: Ville Aikas <vaikas@chainguard.dev> * Add --rekor-url flag to example verify command as well as the env variable SIGSTORE_TRUST_REKOR_API_PUBLIC_KEY=1 Signed-off-by: Ville Aikas <vaikas@chainguard.dev>
coyote240
pushed a commit
to coyote240/cosign
that referenced
this pull request
Mar 16, 2022
…igstore#1610) one for fetching the API from the Rekor API. Signed-off-by: Ville Aikas <vaikas@chainguard.dev>
mlieberman85
pushed a commit
to mlieberman85/cosign
that referenced
this pull request
May 6, 2022
…igstore#1610) one for fetching the API from the Rekor API. Signed-off-by: Ville Aikas <vaikas@chainguard.dev>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Add two env variables. One for using Rekor public key from OOB and
one for fetching the API from the Rekor API.
Signed-off-by: Ville Aikas vaikas@chainguard.dev
Summary
Add new Environmental variable:
SIGSTORE_REKOR_PUBLIC_KEY
This is kind of like the other SIGSTORE_* that allows you to override some keys / certs. It
allows you to use OOB Rekor Public Key.
Since Rekor API exposes a method for fetching the Public Key it's using, add an env
variable that fetches the public key from the Rekor server.
SIGSTORE_TRUST_REKOR_API_PUBLIC_KEY
This was discovered during the implementation of the Cosigned API work and in particular
validating the keyless images.
I'll be adding e2e tests for this tmw using the sigstore scaffolding.
Ticket Link
Fixes
Release Note