You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Today, users can already use arbitrary OIDC tokens by using the --identity-token flag.
cosign sign --identity-token=${TOKEN} ...
To make this easier, I want to allow cosign to detect a token from environment variables.
To help avoid collisions with existing token variables, we should use a prefixed value such as SIGSTORE_ID_TOKEN.
This could also be used to allow other CI providers to hook in without needing additional changes to cosign (though I'm still in support for allowing custom providers per host).
I didn't know about COSIGN_IDENTITY_TOKEN! (it wasn't implemented as a provider so I didn't see it)
I'd like to standardize on a SIGSTORE_ prefix so that we can have a consistent environment variable across clients, and implement this as a provider so it's easier to pull into other clients like Gitsign (until sigstore-go takes over providers).
Description
I'd like to propose adding environment variable OIDC token detection for cosign.
Main use case is to support GitLab CI OIDC tokens - see sigstore/fulcio#983 for more details.
Proposal
Today, users can already use arbitrary OIDC tokens by using the
--identity-token
flag.cosign sign --identity-token=${TOKEN} ...
To make this easier, I want to allow cosign to detect a token from environment variables.
To help avoid collisions with existing token variables, we should use a prefixed value such as
SIGSTORE_ID_TOKEN
.This could also be used to allow other CI providers to hook in without needing additional changes to cosign (though I'm still in support for allowing custom providers per host).
Example: GitLab
I'm happy to implement this.
Previous GitLab related issues:
The text was updated successfully, but these errors were encountered: