You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: docs/docs/reference/signing.md
+24-14Lines changed: 24 additions & 14 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -15,27 +15,37 @@ Some of these signing methods are inherited from the amazing Sigstore community
15
15
[their documentation](https://docs.sigstore.dev/signing/signing_with_blobs/#signing-with-a-key) on the usage of the `--key` argument for key references.
16
16
:::
17
17
18
-
| Method | Signing (`chainloop att push`) | Verifying (`chainloop wf run describe --verify true`) |
| Kubernetes secret |`--key k8s://<namespace>/<secretName>` (where `cosign.key` and `cosign.password` secrets are expected) |`--key k8s://<namespace>/<secretName>` (where `cosign.pub` is expected) |
24
-
| Gitlab secret |`--key gitlab://<project>` (it will look for `COSIGN_PRIVATE_KEY`, `COSIGN_PASSWORD` variables) |`--key gitlab://<project>` (it will look for `COSIGN_PUBLIC_KEY` variable) |
25
-
| Ephemeral (file based CA) | Configure your CA in [your deployment](https://github.com/chainloop-dev/chainloop/blob/main/deployment/chainloop/templates/controlplane/file_ca.secret.yaml) and omit the `--key` when pushing your attestation. | Use `--cert cert.pem --cert-chain my-root.pem` in the `describe` command |
26
-
| Ephemeral ([EJBCA](https://github.com/Keyfactor/ejbca-ce)) | Connect your EJBCA instance to your Chainloop deployment using [these settings](https://github.com/chainloop-dev/chainloop/blob/main/deployment/chainloop/templates/controlplane/ejbca_ca.secret.yaml). Omit `--key` when pushing the attestation. | Use your verification material with `--cert` and `--cert-chain` options in the `wf run describe` command. <br/>See [bundles](#bundles)|
27
-
|[SignServer](https://www.signserver.org/)| You can sign with your instance of SignServer with `--key signserver://host/worker`| Both signing certificate and chain must be provided out of band. Use `--cert signingcert.pem --cert-chain root.pem` to verify. <br/>See [bundles](#bundles)|
28
-
29
-
#### Bundles
30
-
When signing with a verification method that supports it (like ephemeral certificates), you can download the verification material, to be used later during the verification process.
18
+
### Signing with a local key
19
+
These methods require setting up a key and/or KMS authentication in the local environment (laptop, CI system ...).
20
+
21
+
| Method | Signing (`chainloop att push`) | Verifying (`chainloop wf run describe --verify true`) |
| Kubernetes secret |`--key k8s://<namespace>/<secretName>` (where `cosign.key` and `cosign.password` secrets are expected) |`--key k8s://<namespace>/<secretName>` (where `cosign.pub` is expected) |
27
+
| Gitlab secret |`--key gitlab://<project>` (it will look for `COSIGN_PRIVATE_KEY`, `COSIGN_PASSWORD` variables) |`--key gitlab://<project>` (it will look for `COSIGN_PUBLIC_KEY` variable) |
28
+
29
+
### Keyless signing
30
+
These methods don't require any special setup in the client. For the verification command, you must make sure you get the CA certificate chain out-of-band, as it will be required to validate the ephemeral signing certificate.
31
+
32
+
| Method | Signing (`chainloop att push`) | Verifying (`chainloop wf run describe --verify true`) |
| Ephemeral (file based CA) | Configure your CA in [your deployment](https://github.com/chainloop-dev/chainloop/blob/main/deployment/chainloop/templates/controlplane/file_ca.secret.yaml) and omit the `--key` when pushing your attestation. | See [bundles](#bundles)|
35
+
| Ephemeral ([EJBCA](https://github.com/Keyfactor/ejbca-ce)) | Connect your EJBCA instance to your Chainloop deployment using [these settings](https://github.com/chainloop-dev/chainloop/blob/main/deployment/chainloop/templates/controlplane/ejbca_ca.secret.yaml). Omit `--key` when pushing the attestation. | See [bundles](#bundles)|
36
+
|[SignServer](https://www.signserver.org/)| You can sign with your instance of SignServer with `--key signserver://host/worker`| See [bundles](#bundles)|
37
+
38
+
39
+
### Bundles
40
+
When signing with a verification method that supports it (like keyless with ephemeral certificates), you can download the verification material used for signing, to be used later during the verification process.
31
41
32
42
Just add `--bundle my-bundle.json` to the `push` command. Then, you can use the material to verify the attestation:
0 commit comments