UNCLASSIFIED - NO CUI

Skip to content

Update cosign certs

Tim Seagren requested to merge update-cosign-certs into master

Description

This MR updates the certificates used to verify cosign signatures created in our pipeline. The old cert expires in 6 days.

We will also need to update the CI vars for COSIGN_CERT to put this into effect. This MR is effectively documentation. The KMS_KEY_SHORT_ARN will not be changing.

Also note, old signatures will still be capable of being validated after rotating these resources.

Risk

If this fails, no one will be able to verify signatures correctly, and consequentially the pipeline will fail where we validate.

Rollback Plan

Lol let's enjoy our last 6 days

Testing

  • Tested using staging certificate/key in sign command
  • Tested verification using new prod keys on staging image signed with prod key (sounds bad, but isn't if you think about it). This is necessary because it is currently not possible to verify our signatures using the staging key, something that actually warrants a followup issue...
  • Tested verifying image in prod with new certificate, to confirm new cert has no problem verifying legacy signatures (why would it?).
Edited by Tim Seagren

Merge request reports