Finally, you must have a Crypto and Signing workers configured in SignServer. You can follow this Cosign tutorial, since the steps for worker configuration are similar.Once you have it configured, you can reach SignServer signer worker at, for example, https://mysignserver/PlainSigner.Note that, at this moment, SignServer authentication is not implemented.
Using the CLI options above, Chainloop will prepare the signed In-toto payload and send it to SignServer for signing. The returned signature is then included in the final attestation and sent to Chainloop Evidence Store for storage.This is an example of a Chainloop session integrated with SignServer:Crafting and signing an attestation.
Copy
➜ chainloop att init --workflow mywf --project myprojectINF Attestation initialized! now you can check its status or add materials to it┌───────────────────┬──────────────────────────────────────┐│ Initialized At │ 18 Jun 24 09:10 UTC │├───────────────────┼──────────────────────────────────────┤│ Attestation ID │ 32c7eeed-ae4d-4a07-8a85-44a6b05458dc ││ Name │ mywf ││ Team │ ││ Project │ myproject ││ Contract Revision │ 1 │└───────────────────┴──────────────────────────────────────┘➜ chainloop att add --value evidence.txtINF material kind detected kind=ARTIFACTINF material added to attestation➜ chainloop att push --key signserver://localhost:8443/PlainSigner --bundle mybundle.json --signserver-ca-path ../keyfactor/localhost-chain.pemINF generating Sigstore bundle mybundle.jsonINF push completed┌───────────────────┬──────────────────────────────────────┐│ Initialized At │ 18 Jun 24 09:10 UTC │├───────────────────┼──────────────────────────────────────┤│ Attestation ID │ 32c7eeed-ae4d-4a07-8a85-44a6b05458dc ││ Name │ mywf ││ Team │ ││ Project │ myproject ││ Contract Revision │ 1 │└───────────────────┴──────────────────────────────────────┘┌────────────────────────────────────────────────────────────────────────────────────┐│ Materials │├──────────┬─────────────────────────────────────────────────────────────────────────┤│ Name │ material-1718701829813801000 ││ Type │ ARTIFACT ││ Set │ Yes ││ Required │ No ││ Value │ evidence.txt ││ Digest │ sha256:e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 │└──────────┴─────────────────────────────────────────────────────────────────────────┘Attestation Digest: sha256:8b247c21e201e1bd1367add9ee8bfd12c5a0866add39225fda6240c0ef10a64e%
If your SignServer signer worker has been configured for client certificate authentication, you can add the flag --signserver-client-cert to the push command:
Copy
➜ chainloop att push --key signserver://localhost:8443/PlainSigner --signserver-ca-path ../keyfactor/localhost-chain.pem --signserver-client-cert ../keyfactor/client.pem