-
Notifications
You must be signed in to change notification settings - Fork 551
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
create KeylessSigner #1189
create KeylessSigner #1189
Conversation
Signed-off-by: Jake Sanders <[email protected]>
} | ||
s, err := signature.LoadECDSASignerVerifier(priv, crypto.SHA256) | ||
if err != nil { | ||
return nil, err |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We should consistently wrap errors, I think.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
done
// NewSigner generates a new private signing key and returns a `cosign.Signer` which creates signatures with it. | ||
func NewSigner() (icosign.Signer, error) { | ||
priv, err := cosign.GeneratePrivateKey() | ||
if err != nil { | ||
return nil, errors.Wrap(err, "generating cert") | ||
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Generally when we say "keyless" we mean the full Fulcio flow with the ephemeral certificate chained into the root CA (and optionally logged to Rekor). Perhaps to avoid creating confusion over the term "keyless" (since it is only part) we should call this "ephemeral"?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
diggidy done
Signed-off-by: Jake Sanders <[email protected]>
Ticket Link
#844
Release Note