Skip to main content

Signing and verification methods

All attestations are bundled in a DSSE Envelope and signed before being sent to Chainloop Control Plane. This happens transparently while performing a chainloop attestation push command.

Verification of the attestation integrity is done through the workflow run describe --verify true command.

The signing and verification methods used by Chainloop CLI will depend on the different options provided.

These are the various signing and verification methods currently supported by Chainloop:


Some of these signing methods are inherited from the amazing Sigstore community products. Please make sure to check their documentation on the usage of the --key argument for key references.

Signing with a local key

These methods require setting up a key and/or KMS authentication in the local environment (laptop, CI system ...).

MethodSigning (chainloop att push)Verifying (chainloop wf run describe --verify true)
Cosign key--key cosign.key--key
KMS--key awskms://<KeyID>--key awskms://<KeyID>
PKCS#11--key pkcs11://<KeyId>--key pkcs11://<KeyId>
Kubernetes secret--key k8s://<namespace>/<secretName> (where cosign.key and cosign.password secrets are expected)--key k8s://<namespace>/<secretName> (where is expected)
Gitlab secret--key gitlab://<project> (it will look for COSIGN_PRIVATE_KEY, COSIGN_PASSWORD variables)--key gitlab://<project> (it will look for COSIGN_PUBLIC_KEY variable)

Keyless signing

These methods don't require any special setup in the client. For the verification command, you must make sure you get the CA certificate chain out-of-band, as it will be required to validate the ephemeral signing certificate.

MethodSigning (chainloop att push)Verifying (chainloop wf run describe --verify true)
Ephemeral (file based CA)Configure your CA in your deployment and omit the --key when pushing your attestation.See bundles
Ephemeral (EJBCA)Connect your EJBCA instance to your Chainloop deployment using these settings. Omit --key when pushing the attestation.See bundles
SignServerYou can sign with your instance of SignServer with --key signserver://host/workerSee bundles


When signing with a verification method that supports it (like keyless with ephemeral certificates), you can download the verification material used for signing, to be used later during the verification process.

Just add --bundle my-bundle.json to the push command. Then, you can use the material to verify the attestation:

> cat my-bundle.json | jq -r ".verificationMaterial.x509CertificateChain.certificates.[].rawBytes" | base64 --decode | openssl x509 -inform DER -outform PEM -out cert.pem
> chainloop wf run describe --digest ... --verify true --cert cert.pem --cert-chain my-root.pem

Not yet supported

The following methods are work in progress and not yet supported.

Ephemeral (file based CA) with verification bundle stored in the control planeNo key neededNo verification material needed (will be automatically downloaded from Chainloop Vault)
x509 certificate--key privatekey --cert cert.pem --cert-chain chain.pem--cert cert.pem --cert-chain chain.pem