Add Cosign keyless specification

Signed-off-by: Stefan Prodan <stefan.prodan@gmail.com>
pull/3154/head
Stefan Prodan 2 years ago
parent 72d90b5692
commit f417352370
No known key found for this signature in database
GPG Key ID: 3299AEB0E4085BAF

@ -4,7 +4,7 @@
**Creation date:** 2022-03-31 **Creation date:** 2022-03-31
**Last update:** 2022-08-22 **Last update:** 2022-09-28
## Summary ## Summary
@ -124,16 +124,6 @@ spec:
semver: "6.0.x" semver: "6.0.x"
``` ```
To verify the authenticity of an artifact, the Sigstore cosign public key can be supplied with:
```yaml
spec:
verify:
provider: cosign
secretRef:
name: cosign-key
```
### Layer selection ### Layer selection
By default, Flux assumes that the first layer of the OCI artifact contains the Kubernetes configuration. By default, Flux assumes that the first layer of the OCI artifact contains the Kubernetes configuration.
@ -224,6 +214,34 @@ controller will use a specific cloud SDK for authentication purposes. If both `s
a non-generic provider are present in the definition, the controller will use the static credentials a non-generic provider are present in the definition, the controller will use the static credentials
from the referenced secret. from the referenced secret.
### Verify artifacts
To verify the authenticity of the OCI artifacts, Flux will use the Sigstore Go SDK and implement verification
for artifacts which were either signed with keys generated by Cosign or signed using the Cosign
[keyless method](https://github.com/sigstore/cosign/blob/main/KEYLESS.md).
To enable signature verification, the Cosign public key can be supplied with:
```yaml
spec:
verify:
provider: cosign
secretRef:
name: cosign-key
```
For verifying public artifacts which are signed using the keyless method,
the `spec.verify.secretRef` field must be omitted:
```yaml
spec:
verify:
provider: cosign
```
When using the keyless method, Flux will verify the signatures in the Rekor
transparency log instance hosted at [rekor.sigstore.dev](https://rekor.sigstore.dev/).
### Reconcile artifacts ### Reconcile artifacts
The `OCIRepository` can be used as a drop-in replacement for `GitRepository` and `Bucket` sources. The `OCIRepository` can be used as a drop-in replacement for `GitRepository` and `Bucket` sources.

Loading…
Cancel
Save