stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 3 Releases Wiki Activity
Files
d71853ad7ec7d5dff732f3a6c2a420f8a9330a33
git.stella-ops.org/docs/product-advisories/25-Dec-2025 - Planning Keyless Signing for Verdicts.md
StellaOps Bot d71853ad7e Add Christmass advisories
2025-12-25 20:15:19 +02:00

3.9 KiB
Raw Blame History

Heres a practical, lowfriction way to modernize how you sign and verify build “verdicts” in CI/CD using Sigstore—no longlived keys, offlinefriendly, and easy to audit.

1) Use keyless signing in CI

  • In your pipeline, obtain an OIDC token (from your CI runner) and let Fulcio issue a shortlived X.509 codesigning cert (~10 minutes). You sign with the ephemeral key; cert + signature are logged to Rekor. (Sigstore Blog)

Why: no key escrow in CI, nothing persistent to steal, and every signature is timebound + transparencylogged.

2) Keep one hardwarebacked org key only for special cases

  • Reserve a physical HSM/YubiKey (or KMS) key for: a) resigning monthly bundles (see §4), and b) offline/airgapped verification workflows where a trust anchor is needed. Cosign supports disconnected/offline verification patterns and mirroring the proof data. (Sigstore)

3) Make “verdicts” firstclass OCI attestations

  • Emit DSSE/attestations (SBOM deltas, reachability graphs, policy results) as OCIattached artifacts and sign them with keyless in CI. (Cosign is designed to sign/verify arbitrary OCI artifacts alongside images.) (Artifact Hub)

4) Publish a rotation & refresh policy

  • Every month, collect older attestations and resign into a longlived “bundle” (plus timestamps) using the org key. This keeps proofs verifiable over years—even if the 10minute certs expire—because the bundle contains the cert chain, Rekor inclusion proof, and timestamps suitable for offline verification. (Trustification)

Suggested SLOs

  • CI keyless cert TTL: 10 minutes (Fulcio default). (Sigstore)
  • Bundle cadence: monthly (or per release); retain N=24 months.

5) Offline / airgapped verification

  • Mirror the image + attestation + Rekor proof (or bundle) into the disconnected registry. Verify with cosign verify using the mirrored materials—no internet needed. (Multiple guides show fully disconnected OpenShift/airgapped flows.) (Red Hat Developer)

6) Address common concerns (“myths”)

  • “Shortlived certs will break verification later.” → They dont: you verify against the Rekor proof/bundle, not live cert validity. (Trustification)
  • “Keyless means less security.” → The opposite: no static secrets in CI; certs expire in ~10 minutes; identity bound via OIDC and logged. (Chainguard)

Minimal rollout checklist

  • Enable OIDC on your CI runners; test cosign sign --identity-token ...
  • Enforce identity/issuer in policy: --certificate-identity + --certificate-oidc-issuer at verify time. (Sigstore)
  • Set up a monthly job to build Sigstore bundles from past attestations and resign with the org key. (Trustification)
  • For offline sites: mirror images + attestations + bundles; verify with cosign verify entirely offline. (Red Hat Developer)

Want me to draft the exact cosign commands and a GitLab/GitHub Actions snippet for your StellaOps pipelines (keyless sign, verify gates, monthly bundling, and an offline verification playbook)?