chainloop attestation push
command.
Verification of the attestation integrity is done through the workflow run describe --verify true
command to verify an online attestation, or attestation verify --bundle bundle.json
to verify a downloaded attestation bundle.
The signing and verification methods used by Chainloop CLI will depend on the different options provided.
These are the various signing and verification methods currently supported by Chainloop:
--key
argument for key references.Method | Signing (chainloop att push ) | Verifying (chainloop wf run describe --verify true ) |
---|---|---|
Cosign key | --key cosign.key | --key cosign.pub |
KMS | --key awskms://<KeyID> | --key awskms://<KeyID> |
PKCS#11 | --key pkcs11://<KeyId> | --key pkcs11://<KeyId> |
Kubernetes secret | --key k8s://<namespace>/<secretName> (where cosign.key and cosign.password secrets are expected) | --key k8s://<namespace>/<secretName> (where cosign.pub is expected) |
GitLab secret | --key gitlab://<project> (it will look for COSIGN_PRIVATE_KEY , COSIGN_PASSWORD variables) | --key gitlab://<project> (it will look for COSIGN_PUBLIC_KEY variable) |
Method | Signing (chainloop att push ) | Verifying (chainloop wf run describe --verify true ) |
---|---|---|
Ephemeral (file based CA) | Configure your CA in your deployment and omit the --key when pushing your attestation. | See bundles |
Ephemeral (EJBCA) | Connect your EJBCA instance to your Chainloop deployment using these settings. Omit --key when pushing the attestation. | See bundles |
SignServer | You can sign with your instance of SignServer with --key signserver://host/worker . |
chainloop wf run describe
already detects a verifiable attestation and tries to perform the verification automatically. In these cases, you’ll see “Verified: true” in the command output.