Essentially I'm trying to stand up a current implementation of what's detailed in sigstore/cosign#3457 (comment) where we have a centralized signing HSM that we'd like to sign our images with, without downloading the whole container to the signing infrastructure machines. In a nutshell it seems like I can sign the digest payload data from cosign generate $IMAGE_DIGEST > payload.json, upload it to rekor, but at this point I can't get the modern bundle format out of rekor-cli to feed into cosign attach signature --signature ... . Seems like this idea aligns with some of the discussion on sigstore/cosign#4477 for how the attach command can work . So, am I on the right track with thinking it reasonable to add the latest bundle output format to rekor-cli for that use case? I think I'll have time to put up a PR for that in the next few weeks if it sounds like a reasonable approach.
Essentially I'm trying to stand up a current implementation of what's detailed in sigstore/cosign#3457 (comment) where we have a centralized signing HSM that we'd like to sign our images with, without downloading the whole container to the signing infrastructure machines. In a nutshell it seems like I can sign the digest payload data from
cosign generate $IMAGE_DIGEST > payload.json, upload it to rekor, but at this point I can't get the modern bundle format out of rekor-cli to feed intocosign attach signature --signature .... Seems like this idea aligns with some of the discussion on sigstore/cosign#4477 for how the attach command can work . So, am I on the right track with thinking it reasonable to add the latest bundle output format to rekor-cli for that use case? I think I'll have time to put up a PR for that in the next few weeks if it sounds like a reasonable approach.