Skip to content

feat: add support for signature algorithm in cosign cert and kms veri… #1556

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 5 commits into
base: main
Choose a base branch
from
Open

feat: add support for signature algorithm in cosign cert and kms veri… #1556

wants to merge 5 commits into from

Conversation

yrsuthari
Copy link
Contributor

Fixes: #1415

Proposed Changes:

This PR enhances the Sigstore documentation by adding information about the signatureAlgorithm field support in:

  • Certificate-based verification - Added documentation explaining how to use the signatureAlgorithm field with certificate-based verification
  • AWS KMS verification - Added an example showing how to specify the signature algorithm when using AWS KMS for verification
  • Updated the "Using a different signature algorithm" section to clarify that this feature works with certificates and KMS, not just with keys

These changes improve the documentation by showing users how to use different signature algorithms (sha224, sha256, sha384, sha512) with various verification methods in Kyverno policies.

Checklist
[x] I have read the contributing guidelines.
[x] I have inspected the website preview for accuracy.
[x] I have signed off my issue.

@yrsuthari yrsuthari force-pushed the feat/add-signature-algorithm-support branch from 27bc1d9 to 71cbb31 Compare May 5, 2025 07:11
@realshuting realshuting requested a review from vishal-chdhry May 7, 2025 13:56
vishal-chdhry
vishal-chdhry reviewed May 7, 2025
View reviewed changes
content/en/docs/policy-types/cluster-policy/verify-images/sigstore/_index.md
-----END PUBLIC KEY-----
ctlog:
ignoreSCT: true
pubkey: |-
-----BEGIN PUBLIC KEY-----
MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE8nXRh950IZbRj8Ra/N9sbqOPZrfM
5/KAQN0/KjHcorm/J5yctVd7iEcnessRQjU917hmKO6JWVGHpDguIyakZA==
MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEE8uGVnyDWPPlB7M5KOHRzxzPHtAy
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

i dont understand this change

content/en/docs/policy-types/cluster-policy/verify-images/sigstore/_index.md
attestors:
- entries:
- keys:
kms: "awskms://[ENDPOINT]/[ID/ALIAS/ARN]"
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think we can just have one example of signature algorithm as it applies to all other types (key, kms, certs)

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@vishal-chdhry I've consolidated the signature algorithm examples into a single comprehensive example that shows how it works across all verification methods (keys, certificates, and KMS). This makes the documentation clearer and avoids redundancy since the functionality works the same way regardless of the verification method used.

The updated example includes all three use cases with clear comments, making it easier for users to understand how to use signature algorithms consistently across their infrastructure.

Let me know if you'd like any further adjustments to the documentation.

@JimBugwadia
Copy link
Member

@yrsuthari - can you please address the review comments from Vishal?

@yrsuthari
Copy link
Contributor Author

@yrsuthari - can you please address the review comments from Vishal?

hi @JimBugwadia I have done so.

@yrsuthari yrsuthari force-pushed the feat/add-signature-algorithm-support branch from 84ac393 to bdc60f9 Compare May 10, 2025 13:52
yrsuthari added 3 commits May 10, 2025 19:23
@yrsuthari
feat: add support for signature algorithm in cosign cert and kms veri…
d153f16 
…fication

Signed-off-by: Yogi Suthari <yrsuthari@gmail.com>
@yrsuthari
docs: add note about consistent ordering of imagePullSecrets in Helm …
7ccc53a 
…charts

Signed-off-by: Yogi Suthari <yrsuthari@gmail.com>
@yrsuthari
docs: consolidate signature algorithm examples and improve clarity
296ff83 
Fixes: kyverno#1415

Signed-off-by: Yogi Suthari <yrsuthari@gmail.com>
@yrsuthari yrsuthari force-pushed the feat/add-signature-algorithm-support branch from bdc60f9 to 296ff83 Compare May 10, 2025 13:53
@yrsuthari yrsuthari requested a review from vishal-chdhry May 13, 2025 02:47
@yrsuthari
Copy link
Contributor Author

Hi @JimBugwadia Can this be merged? Are there any other concerns to this regard?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@vishal-chdhry vishal-chdhry Awaiting requested review from vishal-chdhry

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

[Enhancement] feat: add support for signature algorithm in cosign cert and kms verification
3 participants
@yrsuthari @JimBugwadia @vishal-chdhry