Skip to content

Commit cd576d4

Browse files
authored
Update bundle signing docs to clarify key config (#8307)
Following a question about the mixing of these two signature verification methods. Signed-off-by: Charlie Egan <charlie_egan@apple.com>
1 parent dd59017 commit cd576d4

File tree

3 files changed

+33
-4
lines changed

3 files changed

+33
-4
lines changed

docs/docs/configuration.md

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -795,7 +795,7 @@ Bundles are defined with a key that is the `name` of the bundle. This `name` is
795795
server provenance, etc.
796796

797797
Each bundle can be configured to verify a bundle signature using the `keyid` and `scope` fields. The `keyid` is the name of
798-
one of the keys listed under the [keys](#keys) entry.
798+
one of the keys listed under the [keys](#keys) entry. When using bundle services or discovery, verification keys must be in the configuration file. The `--verification-key` CLI flag only works with the `--bundle` flag for filesystem bundles - see [Bundle Signing](./management-bundles/#signing) for examples.
799799

800800
Signature verification fails if the `bundles[_].signing` field is configured on a bundle but no `.signatures.json` file is
801801
included in the actual bundle gzipped tarball.

docs/docs/management-bundles/index.md

Lines changed: 11 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -90,8 +90,18 @@ bundles:
9090
signing:
9191
keyid: my_global_key
9292
scope: read
93+
94+
keys:
95+
my_global_key:
96+
algorithm: RS256
97+
key: |
98+
-----BEGIN PUBLIC KEY-----
99+
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA...
100+
-----END PUBLIC KEY-----
93101
```
94102
103+
See [Configuration - Keys](./configuration/#keys) for details on key configuration.
104+
95105
Using this configuration, OPA will fetch bundles from
96106
`https://example.com/service/v1/somedir/bundle.tar.gz`.
97107

@@ -431,9 +441,7 @@ configured with out-of-band. Only if that verification succeeds does OPA activat
431441
continues using its existing bundle and reports an activation failure via the status API and error logging.
432442

433443
:::warning
434-
⚠️ `opa run` performs bundle signature verification only when the `-b`/`--bundle` flag is given
435-
or when Bundle downloading is enabled. Sub-commands primarily used in development and debug environments
436-
(such as `opa eval`, `opa test`, etc.) DO NOT verify bundle signatures at this point in time.
444+
Bundle signature verification works differently depending on how bundles are loaded. Filesystem bundles (`--bundle` flag) use the `--verification-key` CLI flag pointing to a PEM file. Remote bundles define keys in the configuration file under the `keys` section. Sub-commands primarily used in pre-production (such as `opa eval`, `opa test`, etc.) do not verify bundle signatures at this point in time.
437445
:::
438446

439447
### Signature Format

docs/docs/management-discovery.md

Lines changed: 21 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -284,6 +284,27 @@ signature verification of a discovery bundle **CANNOT** be modified via discover
284284
> include the keys used to verify the non-discovery bundles. However, OPA does not enforce that recommendation. You may use
285285
> unsigned discovery bundles that themselves require non-discovery bundles to be signed.
286286
287+
To enable signature verification for discovery bundles, add the `signing` field to your discovery configuration and define the verification key:
288+
289+
```yaml title="Bootstrap Config"
290+
discovery:
291+
service: acmecorp
292+
resource: /discovery.tar.gz
293+
signing:
294+
keyid: discovery_key
295+
scope: read
296+
297+
keys:
298+
discovery_key: # Cannot come from discovery
299+
algorithm: RS256
300+
key: |
301+
-----BEGIN PUBLIC KEY-----
302+
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA...
303+
-----END PUBLIC KEY-----
304+
```
305+
306+
Discovery bundle contents then provides keys for regular bundles - see [Bundle Signing](./management-bundles/#signing) for more details about signing configuration.
307+
287308
## Discovery Bundle Persistence
288309
289310
OPA can optionally persist the activated discovery bundle to disk for recovery purposes. To enable

0 commit comments

Comments
 (0)