mattmoor
commented
1 year ago Has support for the Gitpod issuer landed in Fulcio?
Is there a Go library that cosign can use instead of relying on os.Exec?
cc @haydentherapper
Open ChevronTango opened 1 year ago
mattmoor
commented
1 year ago Has support for the Gitpod issuer landed in Fulcio?
Is there a Go library that cosign can use instead of relying on os.Exec?
cc @haydentherapper
haydentherapper
commented
1 year ago It has not yet landed in Fulcio yet - https://github.com/sigstore/fulcio/pull/1177
Blocked by an issue in GitPod
Description
Gitpod is a remote workspace solution that has the ability (still in BETA) to generate JWT tokens to authenticate users within a workspace against external services like Sigstore, Vault or AWS directly.
Because gitpod can generate these tokens using a command line, and thus does not require a browser to do any auth, it makes sense to create a provider within cosign and gitsign that can automatically call this CLI on the users behalf, thus eliminating the need to do any external auth checks.
The command line in question is
gp idp token --audience sigstoreand is currently still in BETA, but can be run from any gitpod workspace. The devs are currently working to add the correct email claims to the resulting token so that it is compatible with sigstore.