mjnagel
commented
4 months ago validate cosign signatures on zarf package create so that I can have confidence that they will work correctly
Want to call out this is more than just "confidence they will work correctly" in the broad sense, but also confidence the image is what I expected (i.e. isn't some maliciously published image, it was published by the build system I expected). There's some valuable supply chain considerations there.
Given I have a package with cosign signatures defined under images
While I think this is a good qualifier for a first pass, it would honestly be great if there were also a way to opt-in to signature validation even if I don't put signatures in images. It shouldn't be significantly more challenging since zarf already has code to find signatures, and in some cases I might just want signatures to be validated at build time and have no need to bring them along with me in my zarf package.
Then Zarf validates the signatures against the images
Worth noting that there are a number of different validation paths with cosign - you may need to pass in a key, skip the tlog, or it might just work (keyless signatures?). Would likely mean we need an additional "config block"/args to specify some of those options, and potentially allow it per registry/repo/image.
Is your feature request related to a problem? Please describe.
As Ezra I want to validate cosign signatures on
zarf package createso that I can have confidence that they will work correctly before the package goes to the air gap.Describe the solution you'd like
imagesDescribe alternatives you've considered
We could have a separate process for this (and this will slow down
create) but since it will only run when cosign signatures are defined it should be a fine tradeoff since people can opt into the slowdown if they need / want to and if they do it will save them time in the long run since it would be costly to bring an invalid package to the airgap.Additional context
https://github.com/defenseunicorns/zarf/issues/475