doodzik
commented
2 years ago Where would I find the original cosign code for comparison?
@jchestershopify Have a look at this PR and verification flow.
Closed doodzik closed 2 years ago
doodzik
commented
2 years ago Where would I find the original cosign code for comparison?
@jchestershopify Have a look at this PR and verification flow.
Problem
The current implementation of the id provider requires interaction with a web browser, which doesn't work in an automated environment.
Solution
The folks over at sigstore/cosign solved this problem by allowing cosign to accept an id token. This PR ports that approach over.
At a later point (#42), we can also enable the usage of env variables, but that isn't required to get this tool working in ShipIt, which is the biggest unknown in my opinion. See https://github.com/sigstore/cosign/pull/644 for reference.
ref #24