Skip to content

[Epic]: Closed supply chain (V1) — enterprise signing and verification #1149

Description

@lockwobr

Goal

Deliver the V1 "Closed Supply Chain" acceptance bar for AICR bundles and recipe data:

every artifact (binary, image, recipe data, bundle) has retrievable provenance and a documented verification path that works in air-gapped, private, and public-trust deployments

This epic tracks the two halves that are not yet shipped — signing in enterprise environments and the matching verification path — plus recipe-data provenance and the end-user verification guide. (Build-time provenance for binaries and images already ships.)

Signing lives in pkg/bundler/attestation/ (SignStatement in signing.go, the attester resolver in resolver.go) and uses sigstore-go's sign package. Verification lives in pkg/bundler/verifier/ (aicr verifyverifySigstoreBundle), which today only checks keyless bundles against the public-good trusted root (trust.GetTrustedMaterial()).

Signing sub-issues

# Title Size Notes
#408 Private Sigstore via --fulcio-url / --rekor-url Small Library already plumbs SignOptions.FulcioURL/RekorURL; CLI wiring only.
#685 OIDC token caching across runs Medium Iteration ergonomics; not V1-blocking — once #407 lands its audience is local-dev. Standalone.
#407 KMS-backed signing via --signing-key Large Foundation. Key-based signer alongside the keyless path; pulls KMS-provider deps under sigstore-go.
#409 Air-gapped signing via --tlog-upload=false Small (gated) One flag + conditional Rekor step + validation matrix; meaningful once #407 lands.
#1150 Server-side bundle attestation for /v1/bundle Large /v1/bundle does not sign today; needs a non-interactive identity — KMS, request-supplied identity token, or ambient OIDC (browser OIDC can't work in a daemon). Gated on #407.

Verification & provenance sub-issues

Signing without a matching verification path breaks the chain at the consumer. Each signing mode needs its verify counterpart:

Signing mode Verification counterpart
KMS-backed signing (#407) #1152 — verifier aicr verify --key <kms-uri>
Private Fulcio/Rekor (#408) #1153 — verifier custom/private trust root
Air-gapped --tlog-upload=false (#409) #1154 — offline verification (skip tlog)

Plus the peer workstreams:

Suggested sequencing

  1. feat(bundle): private Sigstore infrastructure support via --fulcio-url and --rekor-url #408 — quick independent win, no dependencies.
  2. bundle --attest: no OIDC token caching across runs (every invocation triggers new Rekor entry) #685 — standalone iteration improvement; independent (non-V1-blocking).
  3. feat(bundle): KMS-backed signing for CI/CD environments without OIDC #407 — the foundation; unblocks air-gap, server-side, and KMS verification.
  4. feat(bundle): air-gapped signing with --tlog-upload=false for restricted networks #409 + feat(verify): KMS public-key verification (aicr verify --key) #1152 + feat(verify): private Sigstore trust root for bundle verification #1153 — air-gapped signing and the KMS / private-trust verify counterparts (ride on feat(bundle): KMS-backed signing for CI/CD environments without OIDC #407 / feat(bundle): private Sigstore infrastructure support via --fulcio-url and --rekor-url #408).
  5. feat(verify): offline / air-gapped verification (skip tlog) #1154 — offline verify (rides on feat(verify): KMS public-key verification (aicr verify --key) #1152).
  6. feat(server): bundle attestation for /v1/bundle (non-interactive signing) #1150 — server-side signing (rides on feat(bundle): KMS-backed signing for CI/CD environments without OIDC #407).
  7. feat: recipe-data provenance (signed catalog/registry) #1155 / docs: verify-on-deploy path for signed bundles #1156 / docs: end-user artifact verification guide #1157 — recipe-data provenance and the docs, once the feature surfaces they describe exist.

Success criteria

Scope

In scope: the sub-issues above — signing changes in pkg/cli/bundle.go / pkg/bundler/attestation/, verification changes in pkg/cli / pkg/bundler/verifier/, server changes in pkg/server / pkg/client/v1 (#1150), recipe-data work in pkg/recipe (#1155), and docs.

Out of scope: build-time provenance for binaries/images (already shipped); changes to the in-toto predicate/statement shape; new attestation types. New gaps surfaced while implementing should be filed as standalone issues and attached here.

Correctness notes (verified 2026-06-02)

The four original issues were filed before signing migrated to sigstore-go and before the headless-OIDC flows landed; each body was refreshed for accuracy:

Metadata

Metadata

Assignees

Type

Fields

No fields configured for Epic.

Projects

No projects

Milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions