Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support Cosign verification with multiple keys #1191

Closed
1 task
Tracked by #1166
yizha1 opened this issue Nov 29, 2023 · 0 comments · Fixed by #1381
Closed
1 task
Tracked by #1166

Support Cosign verification with multiple keys #1191

yizha1 opened this issue Nov 29, 2023 · 0 comments · Fixed by #1381
Labels
enhancement New feature or request
Milestone
v1.2.0

Comments

@yizha1
Copy link
Collaborator

yizha1 commented Nov 29, 2023

What would you like to be added?

Currently, users can only configure one key for Cosign verification. There are scenarios where multiple keys are used for signing during the process of distributing container images, thus images are signed with multiple keys by different parties throughout the process, as a result, multiple signatures are generated and associated with container images. The keys could be self-managed keys or keys stored in multiple KMSs, such as AKV. This issue is to ask for support of Cosign verification with multiple keys.

  • Users can configure multiple self-managed keys
  • Users can configure multiples keys that stored in different KMS, such as AKV
  • To achieve an overall successful validation, all signatures produced with multiple keys must be validated.

NOTE: If multiple signatures are generated by one key, the overall validation passes as long as at least one signature passes validation

Anything else you would like to add?

No response

Are you willing to submit PRs to contribute to this feature?

  • Yes, I am willing to implement it.
@yizha1 yizha1 added enhancement New feature or request triage Needs investigation labels Nov 29, 2023
@susanshi susanshi added this to the v1.2.0 milestone Dec 5, 2023
@susanshi susanshi removed the triage Needs investigation label Dec 5, 2023
@akashsinghal akashsinghal mentioned this issue Jan 4, 2024
Merged
12 tasks
@akashsinghal akashsinghal mentioned this issue Feb 2, 2024
Closed
11 tasks
@akashsinghal akashsinghal mentioned this issue Apr 10, 2024
Merged
12 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request
Projects
None yet
Milestone
v1.2.0
Development

Successfully merging a pull request may close this issue.

feat: add cosign trust policies akashsinghal/ratify
2 participants
@susanshi @yizha1