You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The /v1/bundle endpoint (aicrd) does not attest or sign bundles at all. The handler builds aicr.BundleOptions{Config, OutputDir, Timeout} with no Attester (pkg/server/bundle_handler.go), so server-generated bundles are always unsigned — there is no server-side equivalent of aicr bundle --attest. The OpenAPI spec reflects this, framing attestation as a CLI-only flow that "requires OIDC interactive or ambient authentication" (api/aicr/v1/server.yaml).
This blocks the server from participating in the enterprise signing use cases tracked by the rest of the epic: a CI pipeline or platform that bundles via the API cannot get a signed artifact back.
Why this is separate from the CLI signing work
The CLI's default signing path is interactive browser OIDC, which is a non-starter for a long-running daemon. So server-side attestation is not just "pass the existing attester through" — it needs a signing identity that works without a human at a browser:
Request-supplied / ambient OIDC — a pre-fetched identity token (e.g. workload identity) passed on the request, or ambient OIDC when aicrd itself runs in a CI context. Carries trust/expiry questions (the server signs on behalf of a caller) that need a design pass.
The client facade already has the seam: aicr.BundleOptions.Attester and MakeBundle honor an injected attester (pkg/client/v1/bundle.go). The missing piece is how the server constructs that attester and how the request/config expresses it.
Scope (proposed)
Decide and document the server signing identity model (KMS key from server config vs. request-supplied identity token vs. ambient), including the trust boundary.
Construct an Attester in bundleHandler.HandleBundles (or the client facade) from that model and pass it through BundleOptions.
Problem
The
/v1/bundleendpoint (aicrd) does not attest or sign bundles at all. The handler buildsaicr.BundleOptions{Config, OutputDir, Timeout}with noAttester(pkg/server/bundle_handler.go), so server-generated bundles are always unsigned — there is no server-side equivalent ofaicr bundle --attest. The OpenAPI spec reflects this, framing attestation as a CLI-only flow that "requires OIDC interactive or ambient authentication" (api/aicr/v1/server.yaml).This blocks the server from participating in the enterprise signing use cases tracked by the rest of the epic: a CI pipeline or platform that bundles via the API cannot get a signed artifact back.
Why this is separate from the CLI signing work
The CLI's default signing path is interactive browser OIDC, which is a non-starter for a long-running daemon. So server-side attestation is not just "pass the existing attester through" — it needs a signing identity that works without a human at a browser:
awskms:///gcpkms:///azurekms:///hashivault://). This is the natural fit for a daemon and the most likely default.The client facade already has the seam:
aicr.BundleOptions.AttesterandMakeBundlehonor an injected attester (pkg/client/v1/bundle.go). The missing piece is how the server constructs that attester and how the request/config expresses it.Scope (proposed)
AttesterinbundleHandler.HandleBundles(or the client facade) from that model and pass it throughBundleOptions.--tlog-upload=false(feat(bundle): air-gapped signing with --tlog-upload=false for restricted networks #409) as request/config fields where they make sense.api/aicr/v1/server.yaml.docs/user/api-reference.md,docs/contributor/api-server.md.Dependencies
--fulcio-url/--rekor-url) and feat(bundle): air-gapped signing with --tlog-upload=false for restricted networks #409 (--tlog-upload) — once the server signs, these library options should be reachable server-side.Out of scope
Success criteria
POST /v1/bundlecan be returned signed, using a non-interactive signing identity (KMS to start).make test/make lintpass with no regressions.