Prerequisites
Feature Summary
Add a standalone aicr evidence publish (sign + push + write pointer) that operates on an already-emitted on-disk evidence bundle, so the cluster-bound validation step and the Fulcio/Rekor-bound signing step can run on different networks.
Problem/Use Case
Validation must run where the cluster is reachable (often a corporate VPN), but keyless signing must reach fulcio.sigstore.dev + rekor.sigstore.dev, which corporate networks frequently block. Today aicr validate --emit-attestation --push does validate → emit → sign → push → write pointer.yaml as one atomic step, so if Fulcio is unreachable the whole publish fails (POST fulcio.sigstore.dev/api/v2/signingCert: EOF, exit 6) even though validation, OCI push, and OIDC all succeeded.
Proposed Solution
aicr evidence publish <bundle-dir> --push <ref> [signing/OIDC flags] that reuses the existing sign+push leg (today embedded in the validate emit path) against a pre-built summary-bundle/: package as OCI, keyless-sign the in-toto statement, attach the Sigstore referrer, write pointer.yaml. It signs the bundle bytes as-is (the timestamp is already baked at emit time → no determinism concern). validate --emit-attestation (no --push) remains the "produce unsigned bundle" step.
Success Criteria
validate --emit-attestation <dir> on VPN → unsigned bundle; evidence publish <dir> --push <ref> off-VPN → signed artifact + pointer.yaml, identical to today's one-shot output.
evidence verify on the resulting pointer/OCI hits signature-verify | passed.
- One-shot
validate --emit-attestation --push behavior is unchanged (no breaking change).
- All signing/OIDC flags (
--identity-token, --oidc-device-flow, --insecure-tls) are available on the new command.
Alternatives Considered
Component
CLI (aicr)
Priority
Important (would improve my workflow)
Compatibility / Breaking Changes
None — additive. The new subcommand reuses the existing sign+push leg; the one-shot validate --emit-attestation --push path is untouched.
Operational Considerations
Decoupling lets the passing validation result be preserved as an artifact and signed/published from a host with Sigstore egress (CI runner, jump box, hotspot). The on-disk bundle is content-addressable, so the signed artifact is identical regardless of which step happened where.
Are you willing to contribute?
Maybe, with guidance
Prerequisites
Feature Summary
Add a standalone
aicr evidence publish(sign + push + write pointer) that operates on an already-emitted on-disk evidence bundle, so the cluster-bound validation step and the Fulcio/Rekor-bound signing step can run on different networks.Problem/Use Case
Validation must run where the cluster is reachable (often a corporate VPN), but keyless signing must reach
fulcio.sigstore.dev+rekor.sigstore.dev, which corporate networks frequently block. Todayaicr validate --emit-attestation --pushdoes validate → emit → sign → push → writepointer.yamlas one atomic step, so if Fulcio is unreachable the whole publish fails (POST fulcio.sigstore.dev/api/v2/signingCert: EOF, exit 6) even though validation, OCI push, and OIDC all succeeded.Proposed Solution
aicr evidence publish <bundle-dir> --push <ref> [signing/OIDC flags]that reuses the existing sign+push leg (today embedded in thevalidateemit path) against a pre-builtsummary-bundle/: package as OCI, keyless-sign the in-toto statement, attach the Sigstore referrer, writepointer.yaml. It signs the bundle bytes as-is (the timestamp is already baked at emit time → no determinism concern).validate --emit-attestation(no--push) remains the "produce unsigned bundle" step.Success Criteria
validate --emit-attestation <dir>on VPN → unsigned bundle;evidence publish <dir> --push <ref>off-VPN → signed artifact +pointer.yaml, identical to today's one-shot output.evidence verifyon the resulting pointer/OCI hitssignature-verify | passed.validate --emit-attestation --pushbehavior is unchanged (no breaking change).--identity-token,--oidc-device-flow,--insecure-tls) are available on the new command.Alternatives Considered
validatefrom a hotspot/off-VPN network — requires the cluster to be reachable from there, which it usually isn't.*.sigstore.dev.validaterun.Component
CLI (aicr)
Priority
Important (would improve my workflow)
Compatibility / Breaking Changes
None — additive. The new subcommand reuses the existing sign+push leg; the one-shot
validate --emit-attestation --pushpath is untouched.Operational Considerations
Decoupling lets the passing validation result be preserved as an artifact and signed/published from a host with Sigstore egress (CI runner, jump box, hotspot). The on-disk bundle is content-addressable, so the signed artifact is identical regardless of which step happened where.
Are you willing to contribute?
Maybe, with guidance