Closed viccuad closed 2 years ago
Reminder: right now, to verify our production images, one needs to pass an updated fulcio cert:
cosign initialize
kwctl verify --verification-config-path ./verification-config.yml --fulcio-cert-path ~/.sigstore/root/targets/fulcio_v1.crt.pem registry://ghcr.io/kubewarden/policies/pod-privileged:v0.1.10
This would not be needed once we are consuming sigstore/sigstore-rs/pull/43,
Is your feature request related to a problem?
No response
Solution you'd like
Consume latest changes of policy-fetcher on
Config::LatestVerificationConfig
(verification-config.yml) andverify::verify()
. This enables support for keyless verification.policy-server already has a flag
--verification-path
, and doesn't need flags-k
,-a
as in kwctl. Which means that we don't need to translate those flags into an interimLatestVerificationConfig
.See the analogous work for kwctl here: https://github.com/kubewarden/kwctl/pull/169
Alternatives you've considered
No response
Anything else?
No response