Using keyless signing from sigstore cosign
We recently adopted Sigstore to do signing of our binary artifacts using a keyless approach. The framework allows to use the OIDC token provided by the EKS cluster (https://docs.sigstore.dev/certificate_authority/oidc-in-fulcio/#kubernetes) with the following claims set (in k8s case)
{
"kubernetes.io": {
"namespace": "default",
"pod": {
"name": "oidc-test",
"uid": "49ad3572-b3dd-43a6-8d77-5858d3660275"
},
"serviceaccount": {
"name": "default",
"uid": "f5720c1d-e152-4356-a897-11b07aff165d"
}
}
}
The signing(https://docs.sigstore.dev/cosign/signing/signing_with_blobs/) and verifying (https://docs.sigstore.dev/cosign/verifying/verify/) blobs work as expected.
The cosign CLI (https://github.com/sigstore/cosign), which we use in the process for both, needs the following information during the verification part.
Below taken from cosign verify-blob --help
--certificate-identity='':
The identity expected in a valid Fulcio certificate. Valid values include email address, DNS names, IP
addresses, and URIs. Either --certificate-identity or --certificate-identity-regexp must be set for keyless
flows.
--certificate-oidc-issuer='':
The OIDC issuer expected in a valid Fulcio certificate, e.g. https://token.actions.githubusercontent.com or
https://oauth2.sigstore.dev/auth. Either --certificate-oidc-issuer or --certificate-oidc-issuer-regexp must be
set for keyless flows.
The question, is can we expose the EKS cluster ID, our OIDC issuer and our k8s workload name i.e. our service account name in the EKS cluster containing the OIDC token to public?
Though Rekor holds the information in a publicly accessible read only log, during the time of signing, we want to check, exposing this information during verify stage is still fine?
