Feature Request: Make kwctl inspect show pubkey/(issuer, subject), annotations of signatures
#203
Labels
Comments
viccuad
pushed a commit
to viccuad/kwctl
that referenced
this issue
Aug 13, 2024
Signed-off-by: Cintia Sanchez Garcia <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Is your feature request related to a problem?
Right now,
kwctl inspectonly shows the full payloads, without unwrapping the payloads to see the signature information. Hence, one only gets info on "there's a signature", but not what it entails.Solution you'd like
Instead, have
kwctl inspectprint the list of signatures as: timestamp of signature, pubkey or (issuer, subject), annotations.Have
kwctl inspectopen the signature body (analogous tocrane manifest $COSIGN_IMAGE | \ jq '.layers[0].annotations."dev.sigstore.cosign/bundle" | fromjson | .Payload.body | @base64d | fromjson'). Then, extract the pub key or (issuer, subject), and annotations associated with that specific signature.This should be possible using sigstore-rs functions.
See also https://github.com/sigstore/sigstore-rs/wiki/Key-based-signing-using-cosign-and-Rekor#the-signature-object.
Alternatives you've considered
No response
Anything else?
No response
The text was updated successfully, but these errors were encountered: