sigstore-java icon indicating copy to clipboard operation
sigstore-java copied to clipboard
verified publisher icon sigstore

Is interaction with other KMS available or in the roadmap ?

Open fletort opened this issue 2 years ago • 4 comments

Is interaction with other KMS available or in the roadmap ?

I mean, this feature of the cli https://docs.sigstore.dev/signing/signing_with_containers/#sign-with-a-key-pair-stored-elsewhere is alrady available on this plugin ?

fletort avatar Oct 25 '23 12:10 fletort

So sigstore-java plan is to support the keyless workflows for the Java ecosystem. What workflow do you have in mind? Is kms a requirement?

loosebazooka avatar Oct 25 '23 12:10 loosebazooka

The one indicated by my link to the cosign cli. The feature to use another KMS (Key Management Service) APIs as Azure Key Vault, AWS KMS, .... or a local install of Hashicorp Vault.

fletort avatar Oct 25 '23 13:10 fletort

I guess I'm curious why you need KMS in the java client? And why keyless isn't sufficient?

loosebazooka avatar Oct 25 '23 13:10 loosebazooka

I am in an environment not connected to internet. So to make the keyless available i am using a local HashyCorp Vault.

Cosign give the ability to do that. You should ask to sigstore why it is possible with the cli :-).

I think that it also gives the possibility to connect to a personal KMS on the cloud. With that, you are not linked to the default one from sigstore.

Le mer. 25 oct. 2023 à 15:58, Appu @.***> a écrit :

I guess I'm curious why you need KMS in the java client? And why keyless isn't sufficient?

— Reply to this email directly, view it on GitHub https://github.com/sigstore/sigstore-java/issues/563#issuecomment-1779338233, or unsubscribe https://github.com/notifications/unsubscribe-auth/AADXFKOOEGLPN5L76UPGXKTYBELIJAVCNFSM6AAAAAA6PKXKE2VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTONZZGMZTQMRTGM . You are receiving this because you authored the thread.Message ID: @.***>

fletort avatar Oct 25 '23 14:10 fletort