Use Keyfactor SignServer for attestation signing
Summary
Chainloop CLI can sign attestations using a preconfigured SignServer instance, by providing a key reference during the signing process:
SignServer is a platform for digitally signing code, documents and timestamps. Check it out at https://www.signserver.org/about/.
Setting up SignServer
If your organization doesn’t have it already, you can follow these tutorials for a basic setup of Keyfactor’s KPI solutions:
- Quick Start Guide - Start EJBCA Container with Client Certificate Authenticated Access.
- Quick Start Guide - Issue Client Authentication Certificate using EJBCA
- Quick Start Guide - Start SignServer Container with Client Certificate Authenticated Access.
Finally, you must have a Crypto and Signing workers configured in SignServer. You can follow this Cosign tutorial, since the steps for worker configuration are similar.
Once you have it configured, you can reach SignServer signer worker at, for example, https://mysignserver/PlainSigner
.
Note that, at this moment, SignServer authentication is not implemented.
Signing Chainloop attestations with SignServer
Using the CLI options above, Chainloop will prepare the signed In-toto payload and send it to SignServer for signing. The returned signature is then included in the final attestation and sent to Chainloop Evidence Store for storage.
This is an example of a Chainloop session integrated with SignServer:
Crafting and signing an attestation.
Using a TLS Client certificate for authentication
If your SignServer signer worker has been configured for client certificate authentication, you can add the flag --signserver-client-cert
to the push
command:
Verifying the attestation
Verifying the attestation requires the signing cert and root CA (both provided by your organization out-of-band):