Open developer-guy opened 2 years ago
In my opinion, this decision should be based on the expected user experience. If we remove this step, we should also do it for the KMS services because they also write the public key locally.
supported k8s:// protocol is not like the KMS service because we are responsible for creating key pairs by using the client-go
package, so IMHO it'd be okay to separate the logic from other KMS services. WDYT @dlorenc?
@developer-guy I see now, then I'd suggest to keep the same UX experience in both.
Description
Do we really need to write public key to disk while generating key pair as Kubernetes Secret? Detail 👇 https://github.com/sigstore/cosign/blob/27d68e081567d193d051a330075d3b2acdc1de7e/pkg/cosign/kubernetes/secret.go#L87
All the details are available within the Secret, pub/private key pair, and the password, why are we still writing the public key to disk?
Should we remove this line because in the sign/verify flow for this situation we don’t need to store public key on disk because we can verify images by using Secret references like:
$ cosign verify k8s://mykey devopps/nginx:latest
Based on the Slack conversation: https://sigstore.slack.com/archives/C01PZKDL4DP/p1632956513249300