phbelitz
commented
9 months ago Hey @pflaeging ! We definately want to support keyless verification for cosign, but it might have to wait for a little bit. We are currently working on a golang rewrite of the code and instead of doing the work twice (for python and go) it's better to do it just once.
We already made some efforts to support a private rekor instance in the go version, so the implementation should be easier there. We'll make an announcement, once the golang version is ready and then we'll tackle this issue.
Cheers.
pflaeging
It would be great to have working keyless support in connaisseur.
We made a strong effort to establish a system to rollout your own instance of fulcio and rekor (look at https://gitlab.opencode.de/ig-bvc/ag-sig/fulcio-rekor-rollout). This is a project for european public agencies to share secure container.
I've tried to write down the assets to verify images with cosign (https://gitlab.opencode.de/ig-bvc/ag-sig/fulcio-rekor-rollout/-/blob/main/WhatIsNeededForVerify.md).
I've seen the principal hooks inside connaisseurs are there but empty (not implemented yet).
Can we start a discussion to implement it? There's example code for signing and verification in the repo above.
Thanks in advance
peter peter@pflaeging.net