From f41735237060aac2681568e24a29aa8c97e061c5 Mon Sep 17 00:00:00 2001 From: Stefan Prodan Date: Wed, 28 Sep 2022 23:25:36 +0300 Subject: [PATCH] Add Cosign keyless specification Signed-off-by: Stefan Prodan --- rfcs/0003-kubernetes-oci/README.md | 40 ++++++++++++++++++++++-------- 1 file changed, 29 insertions(+), 11 deletions(-) diff --git a/rfcs/0003-kubernetes-oci/README.md b/rfcs/0003-kubernetes-oci/README.md index 585fede5..e03f306c 100644 --- a/rfcs/0003-kubernetes-oci/README.md +++ b/rfcs/0003-kubernetes-oci/README.md @@ -4,7 +4,7 @@ **Creation date:** 2022-03-31 -**Last update:** 2022-08-22 +**Last update:** 2022-09-28 ## Summary @@ -124,16 +124,6 @@ spec: semver: "6.0.x" ``` -To verify the authenticity of an artifact, the Sigstore cosign public key can be supplied with: - -```yaml -spec: - verify: - provider: cosign - secretRef: - name: cosign-key -``` - ### Layer selection By default, Flux assumes that the first layer of the OCI artifact contains the Kubernetes configuration. @@ -224,6 +214,34 @@ controller will use a specific cloud SDK for authentication purposes. If both `s a non-generic provider are present in the definition, the controller will use the static credentials from the referenced secret. +### Verify artifacts + +To verify the authenticity of the OCI artifacts, Flux will use the Sigstore Go SDK and implement verification +for artifacts which were either signed with keys generated by Cosign or signed using the Cosign +[keyless method](https://github.com/sigstore/cosign/blob/main/KEYLESS.md). + +To enable signature verification, the Cosign public key can be supplied with: + +```yaml +spec: + verify: + provider: cosign + secretRef: + name: cosign-key +``` + +For verifying public artifacts which are signed using the keyless method, +the `spec.verify.secretRef` field must be omitted: + +```yaml +spec: + verify: + provider: cosign +``` + +When using the keyless method, Flux will verify the signatures in the Rekor +transparency log instance hosted at [rekor.sigstore.dev](https://rekor.sigstore.dev/). + ### Reconcile artifacts The `OCIRepository` can be used as a drop-in replacement for `GitRepository` and `Bucket` sources.