Skip to content

Commit

Permalink
Document Staging instance usage with Keyless (#1824)
Browse files Browse the repository at this point in the history
Signed-off-by: Kenny Leung <kleung@chainguard.dev>
  • Loading branch information
k4leung4 authored May 2, 2022
1 parent 45e289d commit 88b68f4
Showing 1 changed file with 37 additions and 0 deletions.
37 changes: 37 additions & 0 deletions KEYLESS.md
Original file line number Diff line number Diff line change
Expand Up @@ -116,6 +116,43 @@ Signature timestamps are checked in the [rekor](https://github.com/sigstore/reko
* Probably a lot more: This is very experimental.
* More OIDC providers: Obvious.

## Public Staging Environment


There is a public staging environment that is running Fulcio, Rekor and OIDC issuer.

**NOTE** The staging environment provides no SLO guarantees nor the same protection of the root key material for TUF. This environment is meant for development and testing only, PLEASE do not use for production purposes.

The endpoints are as follows:

* https://fulcio.sigstage.dev
* https://rekor.sigstage.dev
* https://oauth2.sigstage.dev/auth

These instances are operated and maintained in the same manner as the public production environment for Sigstore.

### Usage

To use this instance, follow the steps below:

1. `rm -r ~/.sigstore`
1. `gsutil cp -r gs://tuf-root-staging/root.json .`
1. `cd tuf-root-staging`
1. `cosign initialize --mirror=tuf-root-staging --root=root.json`
1. `COSIGN_EXPERIMENTAL=1 cosign sign --oidc-issuer "https://oauth2.sigstage.dev/auth" --fulcio-url "https://fulcio.sigstage.dev" --rekor-url "https://rekor.sigstage.dev" ${IMAGE}`
1. `COSIGN_EXPERIMENTAL=1 cosign verify --rekor-url "https://rekor.sigstage.dev" ${IMAGE}`

* Steps 1-4 configures your local environment to use the staging keys and certificates.
* Step 5 specify the staging environment with flags needed for signing.
* Step 6 specify the staging environment with flags needed for verifying.

#### Revert back to Production

We need to clear the local TUF root data and re-initialize with the default production TUF root data.

1. `rm -r ~/.sigstore`
1. `cosign initialize`

## Custom Infrastructure

If you're running your own sigstore services flags are available to set your own endpoint's, e.g
Expand Down

0 comments on commit 88b68f4

Please sign in to comment.