Support importing GPG keys for signing

sigstore / cosign

Code signing and transparency for containers and binaries

Apache License 2.0

4.48k stars 547 forks source link

Support importing GPG keys for signing #3141

Open lkatalin opened 1 year ago

lkatalin commented 1 year ago

Currently, cosign import-key-pair only has support for RSA and ECDSA keys in PEM format and does not offer support for importing GPG keys. The motivations for supporting import of GPG keys include:

To ease the transition from the GPG ecosystem to the Sigstore ecosystem by offering this as backward compatibility for people who have pre-existing GPG keys they want to keep using
To have more uniformity between Cosign and Rekor for supported key / signature types (Rekor supports a GPG type)

BinToss commented 1 year ago

https://superuser.com/questions/435321/how-can-i-export-public-keys-in-pem-format-with-gnupg Though I agree a simpler and/or automated process would be great.

tommyd450 commented 7 months ago

Is this one still actionable? Id like to attempt this one but I see there is a good deal of discussion around it?

emmeowzing commented 5 months ago

https://superuser.com/questions/435321/how-can-i-export-public-keys-in-pem-format-with-gnupg Though I agree a simpler and/or automated process would be great.

Totally referenced this article before I found this issue. The whole process was a bit cumbersome so I resolved to just generate a key pair per the docs.