Cosign Key Management within Pipeline
For signing releases using cosign, a private key must be generated and made available to the pipeline agents. Organizational policies and best practices for key security (rbac, rotation requirements, etc).
Determine
- Where to store the key
- How the agents will access the key
- Rotation and other security requirements
Acceptance Criteria:
- Public/Private key generated and managed Securely within our Infrastructure in AWS.
- GitLab Runner Images has access to private key
- Self Signed may be fine for testing but valid cert will be required
Tasks
-
Update the Runner Image with Cosign -
Provide access to the key -
update pipeline to run cosign
Edited by Jared Ladner