Prefer using the unencrypted key for signing images so we don't have to manage the encrypted key and the password.

sigstore / cosign

Code signing and transparency for containers and binaries

Apache License 2.0

4.44k stars 544 forks source link

Prefer using the unencrypted key for signing images so we don't have to manage the encrypted key and the password. #1215

Open QWERTY92009 opened 2 years ago

QWERTY92009 commented 2 years ago

Description

Our CI pipeline manages all secrets in Hashicorp Vault. Rather than managing the encrypted signing key and its password, we would prefer to manage just the unencrypted key, which will be pulled by the signing agent as needed.

dlorenc commented 2 years ago

In that case, would it make more sense to use the hashicorp API directly as a KMS provider?

QWERTY92009 commented 2 years ago

Sounds good! Could you elaborate on how the vault token is managed (to write the key initially, and to read the key afterward)? Thanks! Update: Never mind. I see you are using the environment variable VAULT_TOKEN.