You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Deliver the V1 "Closed Supply Chain" acceptance bar for AICR bundles and recipe data:
every artifact (binary, image, recipe data, bundle) has retrievable provenance and a documented verification path that works in air-gapped, private, and public-trust deployments
This epic tracks the two halves that are not yet shipped — signing in enterprise environments and the matching verification path — plus recipe-data provenance and the end-user verification guide. (Build-time provenance for binaries and images already ships.)
Signing lives in pkg/bundler/attestation/ (SignStatement in signing.go, the attester resolver in resolver.go) and uses sigstore-go's sign package. Verification lives in pkg/bundler/verifier/ (aicr verify → verifySigstoreBundle), which today only checks keyless bundles against the public-good trusted root (trust.GetTrustedMaterial()).
/v1/bundle does not sign today; needs a non-interactive identity — KMS, request-supplied identity token, or ambient OIDC (browser OIDC can't work in a daemon). Gated on #407.
Verification & provenance sub-issues
Signing without a matching verification path breaks the chain at the consumer. Each signing mode needs its verify counterpart:
Each signing mode produces a bundle that is verifiable by aicr verify in the same environment: KMS-signed → --key; private-Sigstore-signed → private trust root; air-gapped → offline, no network calls.
Each lands with passing make test / make lint and docs updated.
Scope
In scope: the sub-issues above — signing changes in pkg/cli/bundle.go / pkg/bundler/attestation/, verification changes in pkg/cli / pkg/bundler/verifier/, server changes in pkg/server / pkg/client/v1 (#1150), recipe-data work in pkg/recipe (#1155), and docs.
Out of scope: build-time provenance for binaries/images (already shipped); changes to the in-toto predicate/statement shape; new attestation types. New gaps surfaced while implementing should be filed as standalone issues and attached here.
Correctness notes (verified 2026-06-02)
The four original issues were filed before signing migrated to sigstore-go and before the headless-OIDC flows landed; each body was refreshed for accuracy:
Goal
Deliver the V1 "Closed Supply Chain" acceptance bar for AICR bundles and recipe data:
This epic tracks the two halves that are not yet shipped — signing in enterprise environments and the matching verification path — plus recipe-data provenance and the end-user verification guide. (Build-time provenance for binaries and images already ships.)
Signing lives in
pkg/bundler/attestation/(SignStatementinsigning.go, the attester resolver inresolver.go) and uses sigstore-go'ssignpackage. Verification lives inpkg/bundler/verifier/(aicr verify→verifySigstoreBundle), which today only checks keyless bundles against the public-good trusted root (trust.GetTrustedMaterial()).Signing sub-issues
--fulcio-url/--rekor-urlSignOptions.FulcioURL/RekorURL; CLI wiring only.--signing-key--tlog-upload=false/v1/bundle/v1/bundledoes not sign today; needs a non-interactive identity — KMS, request-supplied identity token, or ambient OIDC (browser OIDC can't work in a daemon). Gated on #407.Verification & provenance sub-issues
Signing without a matching verification path breaks the chain at the consumer. Each signing mode needs its verify counterpart:
aicr verify --key <kms-uri>--tlog-upload=false(#409)Plus the peer workstreams:
Suggested sequencing
Success criteria
aicr verifyin the same environment: KMS-signed →--key; private-Sigstore-signed → private trust root; air-gapped → offline, no network calls.POST /v1/bundlecan be returned signed using a non-interactive identity (feat(server): bundle attestation for /v1/bundle (non-interactive signing) #1150).make test/make lintand docs updated.Scope
In scope: the sub-issues above — signing changes in
pkg/cli/bundle.go/pkg/bundler/attestation/, verification changes inpkg/cli/pkg/bundler/verifier/, server changes inpkg/server/pkg/client/v1(#1150), recipe-data work inpkg/recipe(#1155), and docs.Out of scope: build-time provenance for binaries/images (already shipped); changes to the in-toto predicate/statement shape; new attestation types. New gaps surfaced while implementing should be filed as standalone issues and attached here.
Correctness notes (verified 2026-06-02)
The four original issues were filed before signing migrated to sigstore-go and before the headless-OIDC flows landed; each body was refreshed for accuracy:
SignerVerifier/cosign.LoadKeyFromKMS(); KMS now means a key-based signer in the sigstore-go path and will add dependencies.SignOptions.FulcioURL/RekorURLalready exist with default fallback, so only CLI wiring is left.SignStatementunconditionally wiressign.NewRekor).bundle.go:510→selectAttester; token acquired inResolveAttesterLazy); "Related" updated since--oidc-device-flow/--identity-token/ ambient have shipped.aicr bundle-signsubcommand — signing isaicr bundle --attest.