Verifying images using a generated public key

sigstore / cosign-gatekeeper-provider

🔮 ✈️ to integrate OPA Gatekeeper's new ExternalData feature with cosign to determine whether the images are valid by verifying their signatures

Apache License 2.0

76 stars 23 forks source link

Verifying images using a generated public key #18

Open Anna-Katona opened 2 years ago

Anna-Katona commented 2 years ago

Description

Hi!

We'd like to have an opportunity to pass our own Cosign public key generated with cosign generate-key-pair to the provider. To use it the same way as 'cosign verify --key ...’

Expectations:

Generate a key pair using cosign generate-key-pair
Sign an image
Create a k8s secret/configmap for cosign.pub
Pass the secret/configmap to cosign-gatekeeper-provider deployment
Verify the images using the public key

rajatrj16 commented 8 months ago

Hi, I am also looking for something similar if there is a way or in the roadmap please add updates to this issue. I was looking at this repo and it looks like more of a demo and deprecated with gatekeeper version.