Signing Key Configuration

Overview

To enable artifact signing in Tekton Chains, you need to generate and configure signing keys. This document explains how to generate and configure signing keys for different signing methods.

Generate Signing Key

WARNING

The signing key is used to generate signature information for artifacts. Please keep it secure.

Using Cosign

You can use the cosign tool to generate a signing key pair:

$ COSIGN_PASSWORD={password} cosign generate-key-pair k8s://tekton-pipelines/signing-secrets

Note:

You need to have the cosign CLI installed and access to the Kubernetes cluster
COSIGN_PASSWORD is the password for encrypting the signing key
tekton-pipelines is the namespace where the Chains component is deployed (default is tekton-pipelines)
signing-secrets is the name of the Secret for storing the signing key

After execution, you can view the corresponding Secret resource:

$ kubectl get secret signing-secrets -n tekton-pipelines -o yaml

apiVersion: v1
data:
  cosign.key: <base64-encoded-private-key>
  cosign.password: <base64-encoded-password>
  cosign.pub: <base64-encoded-public-key>
immutable: true
kind: Secret
metadata:
  name: signing-secrets
  namespace: tekton-pipelines
type: Opaque

Get the Signing Public Key

TIP

If you don't have permission, you can ask the administrator to get the public key.

$ export NAMESPACE=<tekton-pipelines>
$ kubectl get secret -n $NAMESPACE signing-secrets -o jsonpath='{.data.cosign\.pub}' | base64 -d > cosign.pub

Get the Signing Secret

$ export NAMESPACE=<tekton-pipelines>
$ kubectl get secret -n $NAMESPACE signing-secrets -o yaml > signing-secrets.yaml

Restart Tekton Chains

After configuring the signing key, restart the Tekton Chains component to make it take effect:

$ kubectl delete pods -n tekton-pipelines -l app=tekton-chains-controller

Wait for the component to start:

$ kubectl get pods -n tekton-pipelines -l app=tekton-chains-controller -w

NAME                                        READY   STATUS    RESTARTS   AGE
tekton-chains-controller-55876dfbbd-5wv5z   1/1     Running   0          1m30s

References

Signing Key Configuration

Overview

To enable artifact signing in Tekton Chains, you need to generate and configure signing keys. This document explains how to generate and configure signing keys for different signing methods.

Generate Signing Key

WARNING

The signing key is used to generate signature information for artifacts. Please keep it secure.

Using Cosign

You can use the cosign tool to generate a signing key pair:

$ COSIGN_PASSWORD={password} cosign generate-key-pair k8s://tekton-pipelines/signing-secrets

Note:

You need to have the cosign CLI installed and access to the Kubernetes cluster
COSIGN_PASSWORD is the password for encrypting the signing key
tekton-pipelines is the namespace where the Chains component is deployed (default is tekton-pipelines)
signing-secrets is the name of the Secret for storing the signing key

After execution, you can view the corresponding Secret resource:

$ kubectl get secret signing-secrets -n tekton-pipelines -o yaml

apiVersion: v1
data:
  cosign.key: <base64-encoded-private-key>
  cosign.password: <base64-encoded-password>
  cosign.pub: <base64-encoded-public-key>
immutable: true
kind: Secret
metadata:
  name: signing-secrets
  namespace: tekton-pipelines
type: Opaque

Get the Signing Public Key

TIP

If you don't have permission, you can ask the administrator to get the public key.

$ export NAMESPACE=<tekton-pipelines>
$ kubectl get secret -n $NAMESPACE signing-secrets -o jsonpath='{.data.cosign\.pub}' | base64 -d > cosign.pub

Get the Signing Secret

$ export NAMESPACE=<tekton-pipelines>
$ kubectl get secret -n $NAMESPACE signing-secrets -o yaml > signing-secrets.yaml

Restart Tekton Chains

After configuring the signing key, restart the Tekton Chains component to make it take effect:

$ kubectl delete pods -n tekton-pipelines -l app=tekton-chains-controller

Wait for the component to start:

$ kubectl get pods -n tekton-pipelines -l app=tekton-chains-controller -w

NAME                                        READY   STATUS    RESTARTS   AGE
tekton-chains-controller-55876dfbbd-5wv5z   1/1     Running   0          1m30s

Pipelines

Triggers

Operator

Results

Signing Key Configuration

TOC

Overview

Generate Signing Key

Using Cosign

Get the Signing Public Key

Get the Signing Secret

Restart Tekton Chains

References

Signing Key Configuration

TOC

Overview

Generate Signing Key

Using Cosign

Get the Signing Public Key

Get the Signing Secret

Restart Tekton Chains

References

Pipelines

Triggers

Operator

Results

#Signing Key Configuration

#TOC

#Overview

#Generate Signing Key

#Using Cosign

#Get the Signing Public Key

#Get the Signing Secret

#Restart Tekton Chains

#References

#Signing Key Configuration

#TOC

#Overview

#Generate Signing Key

#Using Cosign

#Get the Signing Public Key

#Get the Signing Secret

#Restart Tekton Chains

#References

Signing Key Configuration

TOC

Overview

Generate Signing Key

Using Cosign

Get the Signing Public Key

Get the Signing Secret

Restart Tekton Chains

References

Signing Key Configuration

TOC

Overview

Generate Signing Key

Using Cosign

Get the Signing Public Key

Get the Signing Secret

Restart Tekton Chains

References