Spike: Explore how we can manage keys for making attestations #55
Assignees
Labels
enhancement ✨
New feature or request
Comments
|
After some investigation leaning towards sigstore - if this is easy enough to airgap deploy we could use it for signing lots of stuff - including users signing things (not just workloads) |
|
Blocked on decisions around: defenseunicorns/uds-core#509 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Is your feature request related to a problem? Please describe.
We need to determine an easy way to manage / provide keys to allow workload attestations to work within our SWF pipelines - this will target the in-toto specification (with witness as the underlying tooling to start - this may eventually be vendored directly into Maru).
Describe the solution you'd like
Describe alternatives you've considered
We could avoid attestations / in-toto but there is a lot of nice auditing capabilities that we would be missing out on without it.
Additional context
SPIFFE / SPIRE is a likely candidate for implementing this though an ADR should be created that outlines our selection.
The text was updated successfully, but these errors were encountered: