Additional verification methods

[simongottschlag]

Description

Hi again! Thanks for the really awesome job you are doing!

I'm looking into using this together with Azure Key Vault and Azure Container Registry. In my case, each namespace will have a separate key in Key Vault and the identity used by the provider will have verify access to each key.

My idea is to add some config parameters to the provider to be able to configure how the verification is done and configured, but before starting anything I'd like to understand what plans you already have to make sure I align with them in the best possible way.

Would you like some kind of formal proposal from me or something like that? Or maybe you don't want to provide those kinds of features with the provider and only use it as an example?

Keep up the great work! 🚀👍🥇

[ribbybibby]

Hi @simongottschlag, we're also interested in configuring different verification options.

We've been working on it in #6. I'd love to hear your input and if what we've discussed there would meet your use case.

[simongottschlag]

@ribbybibby I've gone through the PR and done some testing on my own. I'm trying to get MSI authentication to work with both Azure KMS and Azure Container Registry. The first one is working (if using main branch of sigstore) but I'm having issues with authentication using go-containerregistry with Azure and need to get it working before I'm able to see how it all fits in.

One thing I think we will need to add is to be able to specify the key as an annotation for a POD, to be able to look it up in the cosign provider. But I will get back to that when I've successfully gotten ACR auth to work.

[simongottschlag]

@ribbybibby I've successfully gotten Azure KMS and Azure CR to work with MSI auth, but I had to hack around in multiple projects and probably spent 8h total to understand different parts of the tool chain.

I will think about this for a few days and organize the different PRs to the different libraries from here.

It's a lot of fun but since I'm doing it on my free time it's going to be hard to give any specifics when I'm able spend time on it.

I'll keep you updated!

[simongottschlag]

As a reference to the authentication issues: sigstore/cosign#1350

[simongottschlag]

Closing this for now and will get back to it when the current PRs are merged if needed.