Skip to content

Commit

Permalink
docs: add docs for cosign identity matching
Browse files Browse the repository at this point in the history
Signed-off-by: Sanskar Jaiswal <[email protected]>
  • Loading branch information
aryan9600 committed Oct 6, 2023
1 parent dca67bb commit b250fca
Show file tree
Hide file tree
Showing 2 changed files with 24 additions and 0 deletions.
11 changes: 11 additions & 0 deletions docs/spec/v1beta2/helmcharts.md
Original file line number Diff line number Diff line change
Expand Up @@ -307,6 +307,14 @@ For publicly available HelmCharts, which are signed using the
[Cosign Keyless](https://github.com/sigstore/cosign/blob/main/KEYLESS.md) procedure,
you can enable the verification by omitting the `.verify.secretRef` field.

To verify that the subject and the OIDC issuer present in the Fulcio certificate
you can specify `.spec.verify.cosignIdentityMatch`. It provides two fields:

- `.issuerRegExp`, to sepcify a regexp that matches against the OIDC issuer.
- `.subjectRegExp`, to specify a regexp that matches against the identity in
the certificate.
Both values should follow the [Go regular expression syntax](https://golang.org/s/re2syntax).

Example of verifying HelmCharts signed by the
[Cosign GitHub Action](https://github.com/sigstore/cosign-installer) with GitHub OIDC Token:

Expand All @@ -325,6 +333,9 @@ spec:
version: ">=6.1.6"
verify:
provider: cosign
cosignIdentityMatch:
subjectRegExp: "stefanprodan"
issuerRegExp: "^https://token.actions.githubusercontent.com$"
```

```yaml
Expand Down
13 changes: 13 additions & 0 deletions docs/spec/v1beta2/ocirepositories.md
Original file line number Diff line number Diff line change
Expand Up @@ -506,6 +506,8 @@ signatures. The field offers two subfields:
- `.provider`, to specify the verification provider. Only supports `cosign` at present.
- `.secretRef.name`, to specify a reference to a Secret in the same namespace as
the OCIRepository, containing the Cosign public keys of trusted authors.
- `.cosignIdentityMatch`, to specify the identity matching criteria if the
artifact was signed using Cosign keyless signing.

```yaml
---
Expand Down Expand Up @@ -555,6 +557,14 @@ For publicly available OCI artifacts, which are signed using the
[Cosign Keyless](https://github.com/sigstore/cosign/blob/main/KEYLESS.md) procedure,
you can enable the verification by omitting the `.verify.secretRef` field.

To verify that the subject and the OIDC issuer present in the Fulcio certificate
you can specify `.spec.verify.cosignIdentityMatch`. It provides two fields:

- `.issuerRegExp`, to sepcify a regexp that matches against the OIDC issuer.
- `.subjectRegExp`, to specify a regexp that matches against the identity in
the certificate.
Both values should follow the [Go regular expression syntax](https://golang.org/s/re2syntax).

Example of verifying artifacts signed by the
[Cosign GitHub Action](https://github.com/sigstore/cosign-installer) with GitHub OIDC Token:

Expand All @@ -568,6 +578,9 @@ spec:
url: oci://ghcr.io/stefanprodan/manifests/podinfo
verify:
provider: cosign
cosignIdentityMatch:
subjectRegExp: "stefanprodan"
issuerRegExp: "^https://token.actions.githubusercontent.com$"
```

The controller verifies the signatures using the Fulcio root CA and the Rekor
Expand Down

0 comments on commit b250fca

Please sign in to comment.