Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Spike: Explore how we can manage keys for making attestations #55

Closed
Racer159 opened this issue Jun 3, 2024 · 2 comments
Closed

Spike: Explore how we can manage keys for making attestations #55

Racer159 opened this issue Jun 3, 2024 · 2 comments
Assignees
@Racer159
Labels
enhancement ✨ New feature or request

Comments

@Racer159
Copy link
Contributor

Racer159 commented Jun 3, 2024

Is your feature request related to a problem? Please describe.

We need to determine an easy way to manage / provide keys to allow workload attestations to work within our SWF pipelines - this will target the in-toto specification (with witness as the underlying tooling to start - this may eventually be vendored directly into Maru).

Describe the solution you'd like

  • Given I have a workload in a GitLab runner that I would like to create an attestation for
  • When that workload runs
  • Then an attestation is able to be generated with minimal user input

Describe alternatives you've considered

We could avoid attestations / in-toto but there is a lot of nice auditing capabilities that we would be missing out on without it.

Additional context

SPIFFE / SPIRE is a likely candidate for implementing this though an ADR should be created that outlines our selection.
@Racer159 Racer159 added the enhancement ✨ New feature or request label Jun 3, 2024
@Racer159 Racer159 mentioned this issue Jun 3, 2024
Closed
@Racer159 Racer159 self-assigned this Jun 21, 2024
@Racer159
Copy link
Contributor Author

After some investigation leaning towards sigstore - if this is easy enough to airgap deploy we could use it for signing lots of stuff - including users signing things (not just workloads)

@Racer159
Copy link
Contributor Author

Blocked on decisions around:

defenseunicorns/uds-core#509
defenseunicorns/uds-identity-config#115

@Racer159 Racer159 closed this as completed Aug 6, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@Racer159 Racer159

Labels
enhancement ✨ New feature or request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@Racer159