Allow the pipeline to use old cosign key until re-signing is complete. (!1440) · Merge requests · Iron Bank / ironbank-pipeline

Jeffrey Wuebbles requested to merge use-old-cosign-key-for-base-image-validation into master Sep 12, 2024

Description

Base images with old tags are not being rebuilt and therefor not resigned. This allows images that use older tags on base images to pass until the resigning is done. After resigning is complete the code can be easily changed to only allow the new cosign key to work.

How to use:

Set the CI/CD var OLD_COSIGN_PUBLIC_KEY as a file type variable and the contents of the old public key.
Set the CI/CD var ENABLE_OLD_COSIGN_PUBLIC_KEY as a variable type with any value.

Before:

https://repo1.dso.mil/dsop/aperio-global/russel/api/-/jobs/38180823

After:

~~https://repo1.dso.mil/dsop/aperio-global/russel/api/-/jobs/38181105~~
https://repo1.dso.mil/dsop/aperio-global/russel/api/-/pipelines/3603623

When both keys fail:

https://code-ib-mario.staging.dso.mil/dsop/rapidfort/ansible/-/jobs/336828

Edited Sep 12, 2024 by Jeffrey Wuebbles

Admin message

Allow the pipeline to use old cosign key until re-signing is complete.

Description

How to use:

Merge request reports