|
| 1 | +--- |
| 2 | +title: Signing and verification methods |
| 3 | +--- |
| 4 | + |
| 5 | +All attestations are bundled in a DSSE Envelope and signed before being sent to Chainloop Control Plane. This happens transparently while performing a `chainloop attestation push` command. |
| 6 | + |
| 7 | +Verification of the attestation integrity is done through the `workflow run describe --verify true` command. |
| 8 | + |
| 9 | +The signing and verification methods used by Chainloop CLI will depend on the different options provided. |
| 10 | + |
| 11 | +These are the various signing and verification methods currently supported by Chainloop: |
| 12 | + |
| 13 | +:::note |
| 14 | +Some of these signing methods are inherited from the amazing Sigstore community products. Please make sure to check |
| 15 | +[their documentation](https://docs.sigstore.dev/signing/signing_with_blobs/#signing-with-a-key) on the usage of the `--key` argument for key references. |
| 16 | +::: |
| 17 | + |
| 18 | +| Method | Signing (`chainloop att push`) | Verifying (`chainloop wf run describe --verify true`) | |
| 19 | +|-------------------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| |
| 20 | +| Cosign key | `--key cosign.key` | `--key cosign.pub` | |
| 21 | +| KMS | `--key awskms://<KeyID>` | `--key awskms://<KeyID>` | |
| 22 | +| PKCS#11 | `--key pkcs11://<KeyId>` | `--key pkcs11://<KeyId>` | |
| 23 | +| Kubernetes secret | `--key k8s://<namespace>/<secretName>` (where `cosign.key` and `cosign.password` secrets are expected) | `--key k8s://<namespace>/<secretName>` (where `cosign.pub` is expected) | |
| 24 | +| Gitlab secret | `--key gitlab://<project>` (it will look for `COSIGN_PRIVATE_KEY`, `COSIGN_PASSWORD` variables) | `--key gitlab://<project>` (it will look for `COSIGN_PUBLIC_KEY` variable) | |
| 25 | +| Ephemeral (file based CA) | Configure your CA in [your deployment](https://github.com/chainloop-dev/chainloop/blob/main/deployment/chainloop/templates/controlplane/file_ca.secret.yaml) and omit the `--key` when pushing your attestation. <br/>To download the verification material for later verification, add `--bundle my-bundle.json` to the push options | If verification material was downloaded while signing, you can use it to verify:<br/>`cat my-bundle.json \| jq -r ".verificationMaterial.x509CertificateChain.certificates.[].rawBytes" \| base64 --decode \| openssl x509 -inform DER -outform PEM -out cert.pem`. <br/>Then you can use `--cert cert.pem --cert-chain my-root.pem` in the `describe` command | |
| 26 | +| [SignServer](https://www.signserver.org/) | You can sign with your instance of SignServer with `--key signserver://host/worker` | Both signing certificate and chain must be provided out of band. Use `--cert signingcert.pem --cert-chain root.pem` to verify | |
| 27 | + |
| 28 | +The following methods are work in progress and **not yet supported**. |
| 29 | + |
| 30 | +| Method | Signing | Verifying | |
| 31 | +|--------------------------------------------------------------------------------|-----------------------------------------------------------|-----------------------------------------------------------------------------------------| |
| 32 | +| Ephemeral (file based CA) with verification bundle stored in the control plane | No key needed | No verification material needed (will be automatically downloaded from Chainloop Vault) | |
| 33 | +| x509 certificate | `--key privatekey --cert cert.pem --cert-chain chain.pem` | `--cert cert.pem --cert-chain chain.pem` | |
0 commit comments