Alauda DevOps Pipelines Docs
  • English

    • Signing Key Configuration

    TOC

    Overview

    To enable artifact signing in Tekton Chains, you need to generate and configure signing keys. This document explains how to generate and configure signing keys for different signing methods.

    Generate Signing Key

    WARNING

    The signing key is used to generate signature information for artifacts. Please keep it secure.

    Using Cosign

    You can use the cosign tool to generate a signing key pair:

    $ COSIGN_PASSWORD={password} cosign generate-key-pair k8s://tekton-pipelines/signing-secrets

    Note:

    • You need to have the cosign CLI installed and access to the Kubernetes cluster
    • COSIGN_PASSWORD is the password for encrypting the signing key
    • tekton-pipelines is the namespace where the Chains component is deployed (default is tekton-pipelines)
    • signing-secrets is the name of the Secret for storing the signing key

    After execution, you can view the corresponding Secret resource:

    $ kubectl get secret signing-secrets -n tekton-pipelines -o yaml

apiVersion: v1
data:
  cosign.key: <base64-encoded-private-key>
  cosign.password: <base64-encoded-password>
  cosign.pub: <base64-encoded-public-key>
immutable: true
kind: Secret
metadata:
  name: signing-secrets
  namespace: tekton-pipelines
type: Opaque

    Get the Signing Public Key

    TIP

    If you don't have permission, you can ask the administrator to get the public key.

    $ export NAMESPACE=<tekton-pipelines>
$ kubectl get secret -n $NAMESPACE signing-secrets -o jsonpath='{.data.cosign\.pub}' | base64 -d > cosign.pub

    Get the Signing Secret

    $ export NAMESPACE=<tekton-pipelines>
$ kubectl get secret -n $NAMESPACE signing-secrets -o yaml > signing-secrets.yaml

    Restart Tekton Chains

    After configuring the signing key, restart the Tekton Chains component to make it take effect:

    $ kubectl delete pods -n tekton-pipelines -l app=tekton-chains-controller

    Wait for the component to start:

    $ kubectl get pods -n tekton-pipelines -l app=tekton-chains-controller -w

NAME                                        READY   STATUS    RESTARTS   AGE
tekton-chains-controller-55876dfbbd-5wv5z   1/1     Running   0          1m30s

    References