Skip to content

feat(verify): KMS public-key verification (aicr verify --key) #1152

Description

@lockwobr

Problem

KMS-backed signing (#407) lets CI sign a bundle with a cloud KMS key, but aicr verify cannot verify the result. The verifier (pkg/bundler/verifier/verifier.goverifySigstoreBundle) only verifies keyless Sigstore bundles against the public-good trusted root (trust.GetTrustedMaterial()); there is no public-key verification path.

Proposal

Add a --key <kms-uri-or-pubkey> option to aicr verify that verifies a key-signed bundle against the corresponding public key (KMS URI or a local PEM), mirroring cosign verify --key.

Behavior

  • --key selects public-key verification instead of keyless certificate-identity verification.
  • Accepts the same KMS URI schemes as signing (awskms://, gcpkms://, azurekms://, hashivault://) and local public-key files.
  • Mutually exclusive with the keyless identity-pinning path (--certificate-identity-regexp).

Dependencies

Success criteria

  • A bundle signed with aicr bundle --signing-key gcpkms://... verifies with aicr verify --key gcpkms://....
  • make test / make lint pass.

Metadata

Metadata

Assignees

Fields

No fields configured for Enhancement.

Projects

No projects

Milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions