-
Notifications
You must be signed in to change notification settings - Fork 83
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
To go with sigstore/cosign#3876 Signed-off-by: Zach Steindler <steiza@github.com>
- Loading branch information
Showing
1 changed file
with
4 additions
and
2 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -9,13 +9,15 @@ This page contains instructions on how to configure Cosign to work with alternat | |
|
||
Verifying keyless signatures require verifying signatures from Rekor, material (SCTs) from the CT log, and certificates that chain up to Fulcio. The public keys and root certificates for these components are distributed through [TUF](https://theupdateframework.io/) repositories. By default, Cosign uses a TUF client that has an initial trust in an embedded root and then fetches updated verification material from our public-good-instance TUF repository created on the [root-signing](https://github.com/sigstore/root-signing) GitHub repository. | ||
Check failure on line 10 in content/en/cosign/system_config/custom_components.md GitHub Actions / markdownlintTrailing spaces
|
||
|
||
There are three options to configure Cosign to verify against custom components: | ||
There are several options to configure Cosign to verify against custom components: | ||
|
||
1. Use [scaffolding](https://github.com/sigstore/scaffolding) to create a custom Sigstore stack. This provides a TUF root distributing verification material for the custom components, and pre-configured Cosign with the trust root. | ||
|
||
2. Create a TUF repository yourself, using [go-tuf](https://github.com/theupdateframework/go-tuf) or [python-tuf](https://github.com/theupdateframework/python-tuf)'s repository writers. Instructions for how to configure this root is in this [blog post](https://blog.sigstore.dev/sigstore-bring-your-own-stuf-with-tuf-40febfd2badd). This [script](https://gist.github.com/asraa/947f1a38afd03af57c7b71d893c36af0) can be used to create a TUF repository from the custom Fulcio, Rekor, and CT log verification material. | ||
|
||
3. As a last resort, you may also use the following environment variables to configure custom keys out of band. | ||
3. TUF is recommended because it makes it easy to distribute up-to-date key material to clients. However, if you aren't using TUF, you can manually assemble trusted key material into a trusted root file with `cosign trusted-root create ...`. You can then supply that trusted root file to `cosign verify` commands with `--trusted-root`. | ||
|
||
4. As a last resort, you may also use the following environment variables to configure custom keys out of band. | ||
|
||
| Env Variable | Description | | ||
| ---------- | ------------------- | | ||
|