.nh .TH CONTAINERS-SIGSTORE-SIGNING-PARAMS.YAML 5 sigstore signing parameters Man Page Miloslav Trmač January 2023 .SH NAME .PP containers-sigstore-signing-params.yaml - syntax for the sigstore signing parameter file .SH DESCRIPTION .PP Sigstore signing parameter files are used to store options that may be required to create sigstore signatures. There is no default location for these files; they are user-managed, and used as inputs to a container image signing operation, e.g. \fBskopeo copy --sign-by-sigstore=\fR\fIparam-file\fP\fB\&.yaml\fR or \fBpodman push --sign-by-sigstore=\fR\fIparam-file\fP\fB\&.yaml\fR . .SH FORMAT .PP Sigstore signing parameter files use YAML. .PP Many parameters are optional, but the file must specify enough to create a signature; in particular either a private key, or Fulcio. .SS Signing with Private Keys .RS .IP \(bu 2 \fBprivateKeyFile:\fR \fIpath\fP .RE .PP Create a signature using a private key at \fIpath\fP\&. Existence of this field triggers the use of a private key. .RS .IP \(bu 2 \fBprivateKeyPassphraseFile:\fR \fIpassphrasePath\fP .RE .PP Read the passphrase required to use \fBprivateKeyFile\fR from \fIpassphrasePath\fP\&. Optional: if this is not set, the user must provide the passphrase interactively. .SS Signing with Fulcio-generated Certificates .PP Instead of a static private key, the signing process generates a short-lived key pair and requests a Fulcio server to issue a certificate for that key pair, based on the user authenticating to an OpenID Connect provider. .PP To specify Fulcio, include a \fBfulcio\fR sub-object with one or more of the following keys. In addition, a Rekor server must be specified as well. .RS .IP \(bu 2 \fBfulcioURL:\fR \fIURL\fP .RE .PP Required. URL of the Fulcio server to use. .RS .IP \(bu 2 \fBoidcMode:\fR \fBinteractive\fR | \fBdeviceGrant\fR | \fBstaticToken\fR .RE .PP Required. Specifies how to obtain the necessary OpenID Connect credential. .PP \fBinteractive\fR opens a web browser on the same machine, or if that is not possible, asks the user to open a browser manually and to type in the provided code. It requires the user to be able to directly interact with the signing process. .PP \fBdeviceGrant\fR uses a device authorization grant flow (RFC 8628). It requires the user to be able to read text printed by the signing process, and to act on it reasonably promptly. .PP \fBstaticToken\fR provides a pre-existing OpenID Connect “ID token”, which must have been obtained separately. .RS .IP \(bu 2 \fBoidcIssuerURL:\fR \fIURL\fP .RE .PP Required for \fBoidcMode:\fR \fBinteractive\fR or \fBdeviceGrant\fR\&. URL of an OpenID Connect issuer server to authenticate with. .RS .IP \(bu 2 \fBoidcClientID:\fR \fIclient ID\fP .RE .PP Used for \fBoidcMode:\fR \fBinteractive\fR or \fBdeviceGrant\fR to identify the client when contacting the issuer. Optional but likely to be necessary in those cases. .RS .IP \(bu 2 \fBoidcClientSecret:\fR \fIclient secret\fP .RE .PP Used for \fBoidcMode:\fR \fBinteractive\fR or \fBdeviceGrant\fR to authenticate the client when contacting the issuer. Optional. .RS .IP \(bu 2 \fBoidcIDToken:\fR \fItoken\fP .RE .PP Required for \fBoidcMode: staticToken\fR\&. An OpenID Connect ID token that identifies the user (and authorizes certificate issuance). .SS Recording the Signature to a Rekor Transparency Server .PP This can be combined with either a private key or Fulcio. It is, practically speaking, required for Fulcio; it is optional when a static private key is used, but necessary for interoperability with the default configuration of \fBcosign\fR\&. .RS .IP \(bu 2 \fBrekorURL\fR: \fIURL\fP .RE .PP URL of the Rekor server to use. .SH EXAMPLES .SS Sign Using a Pre-existing Private Key .PP Uses the ”community infrastructure” Rekor server. .EX privateKeyFile: "/home/user/sigstore/private-key.key" privateKeyPassphraseFile: "/mnt/user/sigstore-private-key" rekorURL: "https://rekor.sigstore.dev" .EE .SS Sign Using a Fulcio-Issued Certificate .PP Uses the ”community infrastructure” Fulcio and Rekor server, and the Dex OIDC issuer which delegates to other major issuers like Google and GitHub. .PP Other configurations will very likely need to also provide an OIDC client secret. .EX fulcio: fulcioURL: "https://fulcio.sigstore.dev" oidcMode: "interactive" oidcIssuerURL: "https://oauth2.sigstore.dev/auth" oidcClientID: "sigstore" rekorURL: "https://rekor.sigstore.dev" .EE .SH SEE ALSO .PP skopeo(1), podman(1)