Merge pull request #3154 from fluxcd/rfc-0003-cosign

[RFC-0003] Add Cosign keyless specification

rfcs/0003-kubernetes-oci/README.md

@@ -4,7 +4,7 @@
 
 **Creation date:** 2022-03-31
 
-**Last update:** 2022-08-22
+**Last update:** 2022-09-28
 
 ## Summary
 
@@ -124,16 +124,6 @@ spec:
     semver: "6.0.x"
 ```
 
-To verify the authenticity of an artifact, the Sigstore cosign public key can be supplied with:
-
-```yaml
-spec:
-  verify:
-    provider: cosign
-    secretRef:
-      name: cosign-key
-```
-
 ### Layer selection
 
 By default, Flux assumes that the first layer of the OCI artifact contains the Kubernetes configuration.
@@ -224,6 +214,34 @@ controller will use a specific cloud SDK for authentication purposes. If both `s
 a non-generic provider are present in the definition, the controller will use the static credentials
 from the referenced secret.
 
+### Verify artifacts
+
+To verify the authenticity of the OCI artifacts, Flux will use the Sigstore Go SDK and implement verification
+for artifacts which were either signed with keys generated by Cosign or signed using the Cosign
+[keyless method](https://github.com/sigstore/cosign/blob/main/KEYLESS.md).
+
+To enable signature verification, the Cosign public key can be supplied with:
+
+```yaml
+spec:
+  verify:
+    provider: cosign
+    secretRef:
+      name: cosign-key
+```
+
+For verifying public artifacts which are signed using the keyless method,
+the `spec.verify.secretRef` field must be omitted:
+
+```yaml
+spec:
+  verify:
+    provider: cosign
+```
+
+When using the keyless method, Flux will verify the signatures in the Rekor
+transparency log instance hosted at [rekor.sigstore.dev](https://rekor.sigstore.dev/).
+
 ### Reconcile artifacts
 
 The `OCIRepository` can be used as a drop-in replacement for `GitRepository` and `Bucket` sources.