Signing Bundles
Porter has built-in support for signing bundles and the associated bundle image using Cosign or Notation. Learn how to configure Porter to sign bundles.
Cosign
Prerequisites
- Cosign is installed and is available on the on the
PATH
. - A key-pair for signing is available.
Instructions on for the install Cosign can be found on the Cosign Installation page, and instructions on how to generate a key-pair can be found in the Cosign Signing with Self-Managed Keys.
🚧 Currently Porter does not support Keyless Signing or reading the key-pair from anything but files.
Configuration
Porter have to be configure to use Cosign to sign bundles and bundle images. All configuration is done through the Porter config file. To configure Cosign add the following to the configuration file.
# ~/.porter/config.yaml
default-signer: "mysigner"
signer:
- name: "mysigner"
plugin: "cosign"
config:
publickey: <PATH_TO_PUBLIC_KEY>
privatekey: <PATH_TO_PRIVATE_KEY>
# Set the mode for fetching references from the registry. allowed: legacy, oci-1-1.
# If set to oci-1-1, experimental must be set the true.
# registrymode: legacy
# Enable Cosign experimental features.
# Required if regsitrymode is set to oci-1-1.
# experimental: false
# Allow signing of bundles in registries with expired or self-signed certificates.
# Should only be used for testing.
# insecureregistry: false
Notation
Prerequisites
- Notation is installed and is available on the on the
PATH
. - A signing key and certificate have been configured.
- A trust policy for verification have been configured.
Instructions on for the install Notation can be found on the Notation Installation page, and instructions on how to configure a signing key, certificate and trust policy can be found in the Notation Quickstart Guide.
⚠️ Self-signed certificates should only be used for testing.
Configuration
Porter has to be configured to use Notation to sign bundles and bundle images. All configuration is done through the Porter config file. To configure Notation add the following to the configuration file.
# ~/.porter/config.yaml
default-signer: "mysigner"
signer:
- name: "mysigner"
plugin: "notation"
config:
key: <NOTATION_KEY_NAME>
# Allow signing of bundles HTTP registries
# Should only be used for testing.
# insecureregistry: false
Sign bundle
To sign run porter publish with the --sign-bundle
flag.
Verify bundle
A bundle can be verified before installation by adding the --verify-bundle
flag to porter install.