Support KMS keys in cosign signature

Question

Support KMS keys in cosign signature

Closed this issue 8 months ago · 2 comments

Cosign supports KMS providers, the CLI command would look like:

cosign verify --key <some provider>://<some key> $IMAGE_DIGEST

What would you like to be added:
We would need to add the key (or public-key) parameter to the Signature.cosign section to support KMS providers instead of certificate-{oidc,identity}-* parameters

Why is this needed:
Our use case is to verify rules signed with AWS KMS and stored in AWS ECR but that would also enable the support for GCP, Azure and Vault KMS

Answer 1 · 2024-01-17T08:09:20.000Z

thanks for the issue @brennoo, are you willing to open a PR to add this feature?

Answer 2 · 2024-01-18T08:20:01.000Z

hi there @cpanato, sure
I will work on that and raise a PR, probably next week or so 🚀