cosign + connaisseur - image with multiple cosign signatures to be verified before deployment #371
-
Hi, I'm new to this community so welcome any feedback and your patience if this is obvious. I just can't find relevant information or, ideally, an example. A use case I want to test is to use cosign to sign an individual image multiple times with different keys. This can be done using the annotation argument to cosign sign. The use case is that in a CI->CD flow, there may be several stages along the path that individuals (or automation) might sign the image and each individual/automation stage would use their own private key to sign the image. For example, "vulnerability scan pass" = signature A, "QA pass" = signature B. When the image is to be deployed to k8s, I would want connaisseur to confirm that the image contains both signature A and signature B. My understanding is that if a validator does not specify a trust_root in a validator, the single key listed in the default section would be verified. If a trust_root is defined in the policy, that single key listed in that matching section would be used. In either situation, there is only one single "key" field and no way to list multiple keys to be validated. I see in the 2.0 Release, there is a reference to multi-key support but I'm unsure this means one and the same: If anyone could point me at any detail if this is supported with cosign/connaisseur with any detail I can follow up with, that would be very much appreciated. Thanks Tommy |
Beta Was this translation helpful? Give feedback.
Replies: 2 comments 4 replies
-
Welcome @tommyreilly 👋 I like the use-case and think that is a very valid scenario. - pattern: "docker.io/my-app/*:*"
validator: my-validator
with:
trust_roots: ["vulnerability-scanner","qa-scanner"] That would suffice for your use-case, right? |
Beta Was this translation helpful? Give feedback.
-
@tommyreilly the feature has been released after a looooong lead period 😉 Feel free to share your thoughts on the implementation 🚀 |
Beta Was this translation helpful? Give feedback.
@tommyreilly the feature has been released after a looooong lead period 😉
you can find the docs here: https://sse-secure-systems.github.io/connaisseur/v2.5.0/validators/sigstore_cosign/#multi-signature-verification
Feel free to share your thoughts on the implementation 🚀