Skip to content

feat(verify): ✨ add custom Sigstore trusted root support#2003

Open
pmialon wants to merge 1 commit intofluxcd:mainfrom
qube-rt:feat/custom-sigstore-trusted-root
Open

feat(verify): ✨ add custom Sigstore trusted root support#2003
pmialon wants to merge 1 commit intofluxcd:mainfrom
qube-rt:feat/custom-sigstore-trusted-root

Conversation

@pmialon
Copy link

@pmialon pmialon commented Mar 11, 2026
edited by stefanprodan
Loading

Enable signature verification of OCI artifacts and Helm charts against self-hosted Sigstore infrastructure (custom Fulcio CA, self-hosted Rekor instance) by introducing a trustedRootSecretRef field on the verify spec.

When set, the controller reads a trusted_root.json from the referenced Secret, extracts the Rekor URL from the transparency log entries, and creates a verifier using the custom trusted material instead of the public Sigstore TUF root.

Changes:

  • Add TrustedRootSecretRef field to OCIRepositoryVerification API type
  • Update HelmChart and OCIRepository CRD schemas
  • Refactor cosign verifier into three clear early-return paths (public key, custom trusted root, public Sigstore)
  • Add readTrustedRootFromSecret helper with tests
  • Wire trusted root reading into both HelmChart and OCIRepository controllers
  • Document custom Sigstore usage in v1 and v1beta2 specs

Closes: #1103

matheuscscp
matheuscscp reviewed Mar 11, 2026
View reviewed changes
matheuscscp
matheuscscp reviewed Mar 11, 2026
View reviewed changes
matheuscscp
matheuscscp reviewed Mar 11, 2026
View reviewed changes
@pmialon pmialon force-pushed the feat/custom-sigstore-trusted-root branch 2 times, most recently from f19c2e3 to 7ea3f5a Compare March 11, 2026 11:09
stefanprodan
stefanprodan reviewed Mar 11, 2026
View reviewed changes
@stefanprodan stefanprodan added area/security Security related issues and pull requests area/oci OCI related issues and pull requests labels Mar 11, 2026
Add custom Sigstore trusted root support for OCIRepository
cd768e2 
Enable signature verification of OCI artifacts against self-hosted
Sigstore infrastructure (custom Fulcio CA, self-hosted Rekor instance)
by introducing a trustedRootSecretRef field on the verify spec.

When set, the controller reads a trusted_root.json from the referenced
Secret, extracts the Rekor URL from the transparency log entries, and
creates a verifier using the custom trusted material instead of the
public Sigstore TUF root.

Signed-off-by: Pierre-Gilles Mialon <pierre-gilles.mialon@qube-rt.com>
@pmialon pmialon force-pushed the feat/custom-sigstore-trusted-root branch from 7ea3f5a to cd768e2 Compare March 11, 2026 11:34
@stefanprodan
Copy link
Member

stefanprodan commented Mar 11, 2026

@pmialon please run make api-docs and force push the changes to unblock CI.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@matheuscscp matheuscscp matheuscscp left review comments

@stefanprodan stefanprodan stefanprodan left review comments

@stealthybox stealthybox Awaiting requested review from stealthybox

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

area/oci OCI related issues and pull requests area/security Security related issues and pull requests

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Improve cosign configuration options

3 participants

@pmialon @stefanprodan @matheuscscp