Skip to content

feat(verify): ✨ add custom Sigstore trusted root support#2003

Merged
stefanprodan merged 1 commit into
fluxcd:mainfrom
qube-rt:feat/custom-sigstore-trusted-root
Jun 3, 2026
Merged

feat(verify): ✨ add custom Sigstore trusted root support#2003
stefanprodan merged 1 commit into
fluxcd:mainfrom
qube-rt:feat/custom-sigstore-trusted-root

Conversation

@pmialon

@pmialon pmialon commented Mar 11, 2026
edited by stefanprodan
Loading

Copy link
Copy Markdown

Enable signature verification of OCI artifacts and Helm charts against self-hosted Sigstore infrastructure (custom Fulcio CA, self-hosted Rekor instance) by introducing a trustedRootSecretRef field on the verify spec.

When set, the controller reads a trusted_root.json from the referenced Secret, extracts the Rekor URL from the transparency log entries, and creates a verifier using the custom trusted material instead of the public Sigstore TUF root.

Changes:

  • Add TrustedRootSecretRef field to OCIRepositoryVerification API type
  • Update HelmChart and OCIRepository CRD schemas
  • Refactor cosign verifier into three clear early-return paths (public key, custom trusted root, public Sigstore)
  • Add readTrustedRootFromSecret helper with tests
  • Wire trusted root reading into both HelmChart and OCIRepository controllers
  • Document custom Sigstore usage in v1 and v1beta2 specs

Closes: #1103

matheuscscp
matheuscscp reviewed Mar 11, 2026
View reviewed changes
Comment thread api/v1/ociverification_types.go
matheuscscp
matheuscscp reviewed Mar 11, 2026
View reviewed changes
Comment thread docs/spec/v1/helmcharts.md Outdated
matheuscscp
matheuscscp reviewed Mar 11, 2026
View reviewed changes
Comment thread docs/spec/v1beta2/helmcharts.md
@pmialon pmialon force-pushed the feat/custom-sigstore-trusted-root branch 2 times, most recently from f19c2e3 to 7ea3f5a Compare March 11, 2026 11:09
matheuscscp
matheuscscp reviewed Mar 11, 2026
View reviewed changes
Comment thread config/crd/bases/source.toolkit.fluxcd.io_helmcharts.yaml
stefanprodan
stefanprodan reviewed Mar 11, 2026
View reviewed changes
Comment thread internal/controller/verify.go Outdated
@stefanprodan stefanprodan added area/security Security related issues and pull requests area/oci OCI related issues and pull requests labels Mar 11, 2026
@pmialon pmialon force-pushed the feat/custom-sigstore-trusted-root branch from 7ea3f5a to cd768e2 Compare March 11, 2026 11:34
@stefanprodan

stefanprodan commented Mar 11, 2026

Copy link
Copy Markdown
Member

@pmialon please run make api-docs and force push the changes to unblock CI.

@pmialon pmialon force-pushed the feat/custom-sigstore-trusted-root branch from 9991fba to 1ed98da Compare March 21, 2026 16:30
@stefanprodan

stefanprodan commented Mar 28, 2026

Copy link
Copy Markdown
Member

@pmialon please undo the merge. We only accept rebase, so sync your fork with upstream main and rebase your branch. This PR should have a single commit.

@stefanprodan stefanprodan mentioned this pull request Apr 1, 2026
Merged
@pmialon

This comment was marked as duplicate.

Sign in to view
@pmialon pmialon force-pushed the feat/custom-sigstore-trusted-root branch from 1ed98da to a457789 Compare April 1, 2026 16:54
@pmialon

pmialon commented Apr 1, 2026

Copy link
Copy Markdown
Author

@pmialon please undo the merge. We only accept rebase, so sync your fork with upstream main and rebase your branch. This PR should have a single commit.

@stefanprodan done, sorry for the delay.

@pmialon pmialon force-pushed the feat/custom-sigstore-trusted-root branch from a457789 to 1ee7959 Compare April 1, 2026 17:06
@stealthybox stealthybox mentioned this pull request May 26, 2026
Merged
@stefanprodan

stefanprodan commented Jun 2, 2026

Copy link
Copy Markdown
Member

@pmialon one more rebase please, we'll merge this and continue in #2061

@pmialon
Add custom Sigstore trusted root support for OCIRepository
bfad0e6 
Enable signature verification of OCI artifacts against self-hosted
Sigstore infrastructure (custom Fulcio CA, self-hosted Rekor instance)
by introducing a trustedRootSecretRef field on the verify spec.

When set, the controller reads a trusted_root.json from the referenced
Secret, extracts the Rekor URL from the transparency log entries, and
creates a verifier using the custom trusted material instead of the
public Sigstore TUF root.

Signed-off-by: Pierre-Gilles Mialon <pierre-gilles.mialon@qube-rt.com>
@pmialon pmialon force-pushed the feat/custom-sigstore-trusted-root branch from 1ee7959 to bfad0e6 Compare June 3, 2026 17:54
stefanprodan
stefanprodan approved these changes Jun 3, 2026
View reviewed changes

@stefanprodan stefanprodan left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

Thanks @pmialon 🏅

@stefanprodan stefanprodan merged commit 9b2557e into fluxcd:main Jun 3, 2026
6 checks passed
@matheuscscp

matheuscscp commented Jun 12, 2026
edited
Loading

Copy link
Copy Markdown
Member

@stefanprodan There's a bug in this PR, HelmChart shares the type with OCIRepository, see the HelmChart CRD YAML changing while no docs or controller code are added (field is ignored).

Going to fix this by splitting the type.

@matheuscscp matheuscscp mentioned this pull request Jun 12, 2026
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@matheuscscp matheuscscp matheuscscp left review comments

@stefanprodan stefanprodan stefanprodan approved these changes

@stealthybox stealthybox Awaiting requested review from stealthybox

Assignees

No one assigned

Labels

area/oci OCI related issues and pull requests area/security Security related issues and pull requests

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Improve cosign configuration options

3 participants

@pmialon @stefanprodan @matheuscscp