Support keyless verification with OIDC identities

Question

Support keyless verification with OIDC identities

Closed this issue 4 months ago · 1 comments

What would you like to be added?

Currently Ratify supports keyless verification with Cosign 1.x only. Since Cosign 2.0, keyless verification requires OIDC identities and OIDC issuers. Ratify needs to introduce new parameters for the cosign verifier.

Anything else you would like to add?

No response

Are you willing to submit PRs to contribute to this feature?

Yes, I am willing to implement it.

Answer 1 · 2024-03-14T12:39:04.000Z

Discussed with @akashsinghal, this issue can be planned for Ratify 1.3.0. Currently, the Cosign verifier continues to function because the API does not mandate OIDC identity and issuer as a requirement. /cc @susanshi