TUF: Add support for signing_config.json

[zimmerad]

Description

Currently, when deploying tuf with the provided chart, cosign complains about a missing signing_config.v0.2.json file when calling cosign initialize:

cosign initialize --mirror http://localhost:8080 --root=http://localhost:8080/root.json --root-checksum ...

WARNING: Could not fetch signing_config.json from the TUF mirror (encountered error: getting info for target "signing_config.v0.2.json": target signing_config.v0.2.json not found). It is recommended to use a signing config file rather than provide service URLs when signing.

Upon performing a signing operation with cosign, the following error is printed:

Error: error getting signing config from TUF: error getting signing config from TUF: getting info for target "signing_config.v0.2.json": target signing_config.v0.2.json not found
error during command execution: error getting signing config from TUF: error getting signing config from TUF: getting info for target "signing_config.v0.2.json": target signing_config.v0.2.json not found

Version

cosign version: v3.0.5
tuf version: v0.7.31

[Hayden-IO]

fyi @jku

I would discourage using the TUF helm chart at the moment, and instead generate TUF target material, e.g. the trusted root and signing configuration, with cosign trusted-root/signing-config create and provide it out of band to clients. TUF is not a requirement in a deployment unless you are dealing with frequent rotations of key material.

[zimmerad]

@Hayden-IO
Coming back to this after setting everything up without a TUF and attempting to set up an ImageValidatingPolicy for Kyverno 1.17.1.

Local signing and verifying with Cosign worked flawlessly by providing a generated trusted_root.json and a signing config.

However, setting up the aforementioned Kyverno policy does seem to have a hard requirement on a TUF (please correct me if I'm wrong).

I assume the only option we have left in this case is using the Sigstore-provided policy controller?

Right now, we are debating which route to take. On one hand, we would prefer doing everything in Kyverno so that we do not have to manage and patch multiple policy controllers. On the other hand, we have a regulatory requirement to sign and verify our applications, and Cosign does seem to be the best solution for this.

Is there an ETA for when it will be possible to deploy our own TUF for Cosign 3 bundles?

Do you think a better approach would be to implement the ability to use ImageValidatingPolicy without providing a TUF/TUF root?(see kyverno/kyverno#15507)

I would be more than happy to help wherever possible.

[Hayden-IO]

I don't have familiarity with Kyverno, I'd follow up with them. It sounds like you may need to make a feature request to allow providing your own trusted root and signing configuration files, which seems like a reasonable request to me.