Add TSA Certificate Support to Cosign Verifier via CertificateStore References #2479
Description
What would you like to be added?
Feature Request
Add support for TSA (Time Stamping Authority) certificate verification in the Cosign verifier using CertificateStore custom resources, similar to the existing Notation verifier implementation.
Current Behavior:- The Cosign verifier in Ratify currently supports:
- Inline public keys (key parameter)
- Inline certificates (certificate parameter)
- Rekor URL configuration (rekorURL parameter)
However, it does not support referencing external CertificateStore CRs for TSA certificate chains.
Desired Behavior
Allow the Cosign verifier to reference CertificateStore resources for TSA verification, similar to Notation:
apiVersion: config.ratify.deislabs.io/v1beta1
kind: Verifier
metadata:
name: verifier-cosign
spec:
name: cosign
artifactTypes: application/vnd.dev.cosign.artifact.sig.v1+json
parameters:
certificate: |
[signing certificate]
trustStores:
- tsa:ratify-tsa-root
- tsa:ratify-tsa-intermediate
rekorURL: ""
Use Case
We need to verify Cosign signatures with:
- Certificate-based verification (Adobe Internal CA)
- RFC 3161 timestamp verification using FreeTSA certificates
- Centralized TSA certificate management via CertificateStore CRs
Anything else you would like to add?
Current implementation doc: https://ratify.dev/docs/reference/custom%20resources/verifiers/#cosign-verifier
Are you willing to submit PRs to contribute to this feature?
- Yes, I am willing to implement it.