Implement keyless verification

chainloop-dev / chainloop

Chainloop is an Open Source evidence store for your Software Supply Chain attestations, SBOMs, VEX, SARIF, CSAF files, QA reports, and more.

https://docs.chainloop.dev

Apache License 2.0

377 stars 29 forks source link

Implement keyless verification #914

Open jiparis opened 6 months ago

jiparis commented 6 months ago

Currently, keyless signing is in production in experimental mode, as generated attestations are not yet verifiable (because generated certificate is not stored).

This task is for implementing the full verification scenario, following best practices.

jiparis commented 5 months ago

We will adopt sigstore approach for storing and verifying local bundles.

jiparis commented 5 months ago

See https://github.com/chainloop-dev/chainloop/issues/990 for storing the verification material.