conforma
diff --git a/‎cmd/validate/image.go‎
Lines changed: 3 additions & 2 deletions b/‎cmd/validate/image.go‎
Lines changed: 3 additions & 2 deletions
diff --git a/‎docs/modules/ROOT/pages/ec_validate_image.adoc‎
Lines changed: 1 addition & 1 deletion b/‎docs/modules/ROOT/pages/ec_validate_image.adoc‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎internal/utils/key_resolver.go‎
Lines changed: 153 additions & 0 deletions b/‎internal/utils/key_resolver.go‎
Lines changed: 153 additions & 0 deletions
diff --git a/‎internal/utils/private_key.go‎
Lines changed: 32 additions & 0 deletions b/‎internal/utils/private_key.go‎
Lines changed: 32 additions & 0 deletions
@@ -497,7 +497,8 @@ func validateImageCmd(validate imageValidationFunc) *cobra.Command {
 			}
 
 			if data.vsaEnabled {
-				signer, err := vsa.NewSigner(data.vsaSigningKey, utils.FS(cmd.Context()))
+				// Use the signer function that supports both file and k8s:// URLs
+				signer, err := vsa.NewSigner(cmd.Context(), data.vsaSigningKey, utils.FS(cmd.Context()))
 				if err != nil {
 					log.Error(err)
 					return err
@@ -669,7 +670,7 @@ func validateImageCmd(validate imageValidationFunc) *cobra.Command {
 		- "ec-policy": Uses Enterprise Contract policy filtering with pipeline intention support`))
 
 	cmd.Flags().BoolVar(&data.vsaEnabled, "vsa", false, "Generate a Verification Summary Attestation (VSA) for each validated image.")
-	cmd.Flags().StringVar(&data.vsaSigningKey, "vsa-signing-key", "", "Path to the private key for signing the VSA.")
+	cmd.Flags().StringVar(&data.vsaSigningKey, "vsa-signing-key", "", "Path to the private key for signing the VSA. Supports file paths and Kubernetes secret references (k8s://namespace/secret-name/key-field).")
 	cmd.Flags().StringSliceVar(&data.vsaUpload, "vsa-upload", nil, "Storage backends for VSA upload. Format: backend@url?param=value. Examples: rekor@https://rekor.sigstore.dev, local@./vsa-dir")
 	cmd.Flags().DurationVar(&data.vsaExpiration, "vsa-expiration", data.vsaExpiration, "Expiration threshold for existing VSAs. If a valid VSA exists and is newer than this threshold, validation will be skipped. (default 168h)")
 
 
@@ -154,7 +154,7 @@ JSON of the "spec" or a reference to a Kubernetes object [<namespace>/]<name>
 -s, --strict:: Return non-zero status on non-successful validation. Defaults to true. Use --strict=false to return a zero status code. (Default: true)
 --vsa:: Generate a Verification Summary Attestation (VSA) for each validated image. (Default: false)
 --vsa-expiration:: Expiration threshold for existing VSAs. If a valid VSA exists and is newer than this threshold, validation will be skipped. (default 168h) (Default: 168h0m0s)
---vsa-signing-key:: Path to the private key for signing the VSA.
+--vsa-signing-key:: Path to the private key for signing the VSA. Supports file paths and Kubernetes secret references (k8s://namespace/secret-name/key-field).
 --vsa-upload:: Storage backends for VSA upload. Format: backend@url?param=value. Examples: rekor@https://rekor.sigstore.dev, local@./vsa-dir (Default: [])
 --workers:: Number of workers to use for validation. Defaults to 5. (Default: 5)
 
 
@@ -0,0 +1,153 @@
+// Copyright The Conforma Contributors
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+//
+// SPDX-License-Identifier: Apache-2.0
+
+package utils
+
+import (
+	"context"
+	"fmt"
+	"strings"
+
+	"github.com/spf13/afero"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/client-go/kubernetes"
+	"k8s.io/client-go/rest"
+	"k8s.io/client-go/tools/clientcmd"
+)
+
+// contextKey is a custom type for context keys to avoid collisions
+type contextKey string
+
+const K8sClientKey contextKey = "k8s.client"
+
+// KeyFromKeyRef resolves a key from either a file path or a Kubernetes secret reference.
+// This provides a unified interface for both public and private key resolution.
+// Supported formats:
+// - File path: "/path/to/key.pem"
+// - Kubernetes secret: "k8s://namespace/secret-name/key-field" (explicit key field)
+// - Kubernetes secret: "k8s://namespace/secret-name" (auto-select if single key exists)
+func KeyFromKeyRef(ctx context.Context, keyRef string, fs afero.Fs) ([]byte, error) {
+	if strings.HasPrefix(keyRef, "k8s://") {
+		return keyFromKubernetesSecret(ctx, keyRef)
+	}
+	return keyFromFile(keyRef, fs)
+}
+
+// PublicKeyFromKeyRef resolves a public key from either a file path or a Kubernetes secret reference.
+// This provides a consistent interface with PrivateKeyFromKeyRef.
+// Supported formats:
+// - File path: "/path/to/public-key.pem"
+// - Kubernetes secret: "k8s://namespace/secret-name/key-field" (explicit key field)
+// - Kubernetes secret: "k8s://namespace/secret-name" (auto-select if single key exists)
+func PublicKeyFromKeyRef(ctx context.Context, keyRef string, fs afero.Fs) ([]byte, error) {
+	return KeyFromKeyRef(ctx, keyRef, fs)
+}
+
+// keyFromFile reads a key from the filesystem
+func keyFromFile(keyPath string, fs afero.Fs) ([]byte, error) {
+	keyBytes, err := afero.ReadFile(fs, keyPath)
+	if err != nil {
+		return nil, fmt.Errorf("read key from file %q: %w", keyPath, err)
+	}
+	return keyBytes, nil
+}
+
+// keyFromKubernetesSecret reads a key from a Kubernetes secret
+// Supported formats:
+// - k8s://namespace/secret-name/key-field (explicit key field)
+// - k8s://namespace/secret-name (auto-select if single key exists)
+func keyFromKubernetesSecret(ctx context.Context, keyRef string) ([]byte, error) {
+	// Validate format first before attempting to create client
+	parts := strings.Split(strings.TrimPrefix(keyRef, "k8s://"), "/")
+	if len(parts) < 2 || len(parts) > 3 {
+		return nil, fmt.Errorf("invalid k8s key reference format %q, expected k8s://namespace/secret-name or k8s://namespace/secret-name/key-field", keyRef)
+	}
+
+	namespace := parts[0]
+	secretName := parts[1]
+	var keyField string
+	if len(parts) == 3 {
+		keyField = parts[2]
+	}
+
+	if namespace == "" || secretName == "" {
+		return nil, fmt.Errorf("invalid k8s key reference %q: namespace and secret name must be specified", keyRef)
+	}
+
+	k8sClient, err := getKubernetesClient(ctx)
+	if err != nil {
+		return nil, fmt.Errorf("get kubernetes client: %w", err)
+	}
+
+	secret, err := k8sClient.CoreV1().Secrets(namespace).Get(ctx, secretName, metav1.GetOptions{})
+	if err != nil {
+		return nil, fmt.Errorf("fetch secret %s/%s: %w", namespace, secretName, err)
+	}
+
+	// If key field is specified, use it directly
+	if keyField != "" {
+		keyData, exists := secret.Data[keyField]
+		if !exists {
+			return nil, fmt.Errorf("key field %q not found in secret %s/%s", keyField, namespace, secretName)
+		}
+		return keyData, nil
+	}
+
+	// No key field specified - auto-select if single key exists
+	keyCount := len(secret.Data)
+	if keyCount == 0 {
+		return nil, fmt.Errorf("secret %s/%s contains no keys", namespace, secretName)
+	}
+	if keyCount == 1 {
+		// Get the single key
+		for _, keyData := range secret.Data {
+			return keyData, nil
+		}
+	}
+
+	// Multiple keys exist - return error without exposing key names
+	return nil, fmt.Errorf("secret %s/%s contains multiple keys, please specify the key field: k8s://%s/%s/<key-field>",
+		namespace, secretName, namespace, secretName)
+}
+
+// getKubernetesClient retrieves a Kubernetes client from the context or creates a new one
+func getKubernetesClient(ctx context.Context) (kubernetes.Interface, error) {
+	// Try to get from context first (for testing)
+	if client, ok := ctx.Value(K8sClientKey).(kubernetes.Interface); ok {
+		return client, nil
+	}
+
+	// Create a new client using the same pattern as the existing kubernetes package
+	// This follows the same pattern as used in the policy package
+	config, err := getKubernetesConfig()
+	if err != nil {
+		return nil, fmt.Errorf("get kubernetes config: %w", err)
+	}
+
+	client, err := kubernetes.NewForConfig(config)
+	if err != nil {
+		return nil, fmt.Errorf("create kubernetes client: %w", err)
+	}
+
+	return client, nil
+}
+
+// getKubernetesConfig creates a Kubernetes config following the same pattern as the existing code
+func getKubernetesConfig() (*rest.Config, error) {
+	rules := clientcmd.NewDefaultClientConfigLoadingRules()
+	clientConfig := clientcmd.NewNonInteractiveDeferredLoadingClientConfig(rules, nil)
+	return clientConfig.ClientConfig()
+}
@@ -0,0 +1,32 @@
+// Copyright The Conforma Contributors
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+//
+// SPDX-License-Identifier: Apache-2.0
+
+package utils
+
+import (
+	"context"
+
+	"github.com/spf13/afero"
+)
+
+// PrivateKeyFromKeyRef resolves a private key from either a file path or a Kubernetes secret reference.
+// This follows the same pattern as cosignSig.PublicKeyFromKeyRef but for private keys.
+// Supported formats:
+// - File path: "/path/to/private-key.pem"
+// - Kubernetes secret: "k8s://namespace/secret-name/key-field"
+func PrivateKeyFromKeyRef(ctx context.Context, keyRef string, fs afero.Fs) ([]byte, error) {
+	return KeyFromKeyRef(ctx, keyRef, fs)
+}