Problem
Red Hat GPG and sigstore public keys are embedded directly in the codebase:
-
trustee-chart: templates/gpg-public-key-secret.yaml and templates/sigstore-key-secret.yaml contain hardcoded key material in Kubernetes Secret templates. These Secrets are created unconditionally but are not consumed — they are not added to kbsSecretResources and no active security policy references them.
-
coco-pattern: keys/SIGSTORE-redhat-release3 is a key file checked into the repo. The values-secret.yaml.template also contains a base64-encoded copy of the sigstore key inline in the security policy JSON.
Signing keys should not be embedded in source control. They should be fetched from Red Hat's official distribution URLs at install time.
Current State
Required Changes
trustee-chart
coco-pattern
When signing enforcement is unblocked
Official Key URLs
Related
🤖 Generated with Claude Code
Problem
Red Hat GPG and sigstore public keys are embedded directly in the codebase:
trustee-chart:
templates/gpg-public-key-secret.yamlandtemplates/sigstore-key-secret.yamlcontain hardcoded key material in Kubernetes Secret templates. These Secrets are created unconditionally but are not consumed — they are not added tokbsSecretResourcesand no active security policy references them.coco-pattern:
keys/SIGSTORE-redhat-release3is a key file checked into the repo. Thevalues-secret.yaml.templatealso contains a base64-encoded copy of the sigstore key inline in the security policy JSON.Signing keys should not be embedded in source control. They should be fetched from Red Hat's official distribution URLs at install time.
Current State
securityPolicyFlavourdefaults toinsecure— no signature verification is activeRequired Changes
trustee-chart
templates/gpg-public-key-secret.yaml(orphaned Secret)templates/sigstore-key-secret.yaml(orphaned Secret)coco-pattern
keys/SIGSTORE-redhat-release3(embedded key file)https://www.redhat.com/security/data/63405576.txthttps://access.redhat.com/security/data/fd431d51.txtvalues-secret.yaml.templateto dynamically inject sigstore key into security policy JSON from the cached download (currently base64-hardcoded)redhat-secure-gpgpolicy definition (GPG path requires HTTP lookaside support that doesn't exist in image-rs)When signing enforcement is unblocked
kbsSecretResourcesin trustee-chart (fetched via ESO from Vault, not embedded)make cache-keysas a documented prerequisite beforemake installwhen using signed policieskeyDatafield in the sigstore security policy to read from the user's local key cacheOfficial Key URLs
Related
docs/CONTAINER-SIGNING-BLOCKER.mddocuments the image-rs bug🤖 Generated with Claude Code