►
From YouTube: Sigstore Community Meeting - November 16, 2021
Description
No description was provided for this meeting.
If this is YOUR meeting, an easy way to fix this is to add a description to your video, wherever mtngs.io found it (probably YouTube).
B
B
For
today's
agenda,
we're
going
to
quickly
just
go
over
a
little
bit
about
kpac,
alongside
how
we
would
sign
the
output
image
so
kpac
for
those
who
don't
know
is
a
tool
or
environment
that
you
can
install
in
kubernetes
to
help
build
oci
images
using
cloud
native
build
packs.
It
takes
it
does
this
by
creating
build
resources
and
where
you
define,
stores
and
stacks
which
I'll
go
over
later,
as
well
as
the
image
resource
which
defines
what
app
you're
kind
you're
going
to
be
building
and
the
osi
image,
and
things
like
that.
B
So
here
for
those
who
are
interested,
we
had
an
initial
rfc
done
by
another
team
member
maureen.
A
lot
of
efforts
were
put
into
that
and
then
from
there
we
started
with
the
initial
cosine
pr.
B
B
Further
docs
can
be
found
here
at
this
link
where
we
defined
all
the
cosine
configurations
that
we
will
go
over
soon,
and
I
guess
for
those
who
are
interested.
We
also
have
the
demo
commands
here
which,
since
it's
recorded,
you
all
can
take
a
look
at
edit
afterwards,
but
in
the
meantime,
I'm
going
to
quickly
just
run
the
installation
so
that
we
don't
have
to
waste
time
there
running
on
the
side
c.
B
So
the
first
thing
with
cosine
with
k-pack,
is
that
we
utilize
the
cosine
keys
that
were
generated
from
cosine
generate
key
pairs,
so
you
can
either
use
the
command
provided
by
the
cli
or
you
know,
run
run
the
file
manually
in
our
case
right
now.
We're
going
to
do
that.
The
only
required
field
for
us
right
now
is
data.
Cosine
key
password
is
optional.
B
If
it's
blank
and
then
we
currently
don't
use
the
pub,
but
we
hope
to
use
that
soon
when
we
actually
start
doing
the
verification
steps
inside
the
kpac
environment
as
well,
so
our
first
key
is
a
pretty
generic
key
and
then
our
second
key.
We
have
annotations
here
for
cosine
repository,
which
will
set
the
cosine
regis
repository
environment
variable
so
that
the
signatures
can
be
located
in
a
different
location
and
then
there's
the
cosine
docker
media
types
which
can
be
enabled
as
well
to
handle.
B
You
know
legacy
registries,
so
this
is
pretty
much
the
same
as
what
you
would
get
from
question
generate.
So
the
next
steps
is
to
then
define
your
registries
secrets.
We
have
the
two
where
I'm
going
to
be
pushing
the
image,
as
well
as
that
extra
co-located
signature,
location
and
the
corresponding
service
account,
so
the
service
account
will
be
attached
to
the
build
and
image
resources
later
on
that
I'll
explain,
as
you
can
see,
we
just
add
the
cosign
key
secrets.
B
As
you
know,
part
of
the
secrets,
and
then
after
that
we
have
the
cluster
stack.
The
cluster
stack
is
a
resource
for
kpac,
where
we
define
the
build
image,
as
well
as
the
run
image,
build
image
being
the
base
image
used
for
building
the
image
itself,
as
well
as
the
run
image,
which
is
the
base
image
used
for
running
the
application
later
on.
B
So
this
is
the
first
thing
cluster
stack.
Then
we
have
cluster
store,
the
cluster
store.
You
can
provide
the
build
packs
that
you'll
be
using
as
well
such
in
this
case.
It'll
be
a
golang
application
that
we
will
build,
we
will
be
building
so
here
is
the
golang,
build
packs
and
then
finally,
well
not.
Finally,
but
we
have
the
builder
itself,
so
the
builder
will
define
the
service
account.
You'll
be
using.
You'll
have
to
have
an
extra
builder
tag
where
this
is
the
extra
image
that
is
being
created
intermittently
that
I
mentioned.
B
That
would
would,
in
the
future
like
to
sign
as
well
as
verify.
But
what
this
image
is
is
that
it'll
list
out
these
stack
and
store,
as
well
as
the
order
of
operations
for
how
the
builder
will
work
and
then
there's
the
image
resource
itself.
B
There's
two
here
right
now
to
demonstrate
that
we
also
handle
additional
annotations
to
be
added
into
the
signatures
by
default.
It
will
have
build
number
as
well
as
build
timestamp,
but
these
are
additional
ones
that
you
can
add
in,
so
that
when
you
do
the
ver
verify
command,
you
would
be
able
to
see
these
as
one
of
the
parts
of
the
optional
field
and
then
back
to
here.
B
So
in
the
meantime,
while
this
was
all
finished,
you
can
see
that
the
stack
was
created.
The
store
was
created,
the
builder
was
hopefully
created,
yep
and
then
there
are
now
two
output
images
here.
So
these
are
the
final
results
of
the
build
and
there
were
two
pods
that
gets
created
one
for
each
of
them.
So
there's
a
bunch
of
steps
that
happens
within
each
of
these
pods.
That
builds
it,
but
in
the
final
step
we
do
the
signing
and
that
can
be
found
inside
the
logs.
B
So,
as
can
be
seen
here,
we
loaded
the
secrets.
We
then
pushed
signatures
to
the
two
locations,
because
the
second
one
being
the
cosine
repository
override.
So
we
have
the
two.
B
So
then
we
can
just
easily
grab
the
digest
using
this
quick
set
command
for
the
above,
and
you
can
see
that
the
image
that
we
created
is
signed
with
the
annotations
for
the
first
scenario
and
likewise,
I'm
not
going
to
go
through
too
much.
But
the
second
scenario
will
have
no
annotations,
as
mentioned
before,
we
could
run
the
app
if
we
wanted
to
just
verify
this,
that
the
app
did
build,
but
that's
actually
just
part
of
how
kpac
works.
So
it's
kind
of
outside
of
scope
in
regards
to
cosine.
B
But
I
guess
this
is
a
quick
run
through
of
that
any
particular
questions.
B
So
a
quick
on
what
is
next
is
that
we're
going
to
also,
like
I
mentioned
before,
sign
and
verify
images
for
the
builders,
but
right
now
we're
waiting
on
a
little
bit
of
changes
in
regards
to
how
I'm
not
sure
how
far
the
efforts
have
been
in
making
cosine
more
library
friendly,
so
that
we
can
pass
in
key
chains,
because
right
now,
we'd
have
to
write
the
config
jsons
for
docker.
B
C
All
right
danny,
I
have
two
questions.
If
you
can
jump
in
a
bit
of
everyone,
the
first
one
is:
is
this
a
new
life
cycle
step
in
the
cloud
native
bill,
peck's
life
cycle.
B
It
leverages
the
original,
like
completion
life
cycle
step
where
originally
there
was
already
notary
implementation,
so
we
leveraged
that
portion.
So
that's
when
the
image
gets
built
at
completion,
we
also
run
through
the
cosine
signing.
If
there
are
cosine
keys
attached
to
the
service
account.
C
Okay.
My
second
question:
that's
really
helpful.
Thank
you,
then.
My
second
question
was
with
sort
of
like
recall
integration.
I
mean
what
kind
of
a
record:
do
you
see
yourself
adding?
Would
it
just
be
the
signature
or
did
you
have
other
records
in
mind
as
well.
B
B
Free
to
yeah
feel
free
to
reach
out
on
slack,
or
I
suppose,
if
you
need
to
email,
dihong
at
vmware.com
would
be
an
other
option
for
any
further
questions
or
information.
You
may
be
interested
in.
A
Just
check
where
we
are
so
there's
nothing
else
on
the
agenda,
so
what
we
can
do
now
is
we
we
tend
to
keep
a
if
we
have
spare
time.
At
the
end,
we
have
any
other
business,
which
is
something
that's
not
really
found
a
slot
into
the
existing
agenda.
Somebody
can
bring
it
up
and
we
also
have
a
section
where
anybody
that's
new
to
the
community
has
come
along,
can
say,
hi,
okay
and
introduce
themselves.
A
You
absolutely
don't
have
to
okay,
it's
just
sometimes
people
would
like
to
just
sort
of
you
know
talk
about
what
they
want
to
work
on
or
they're
just
kicking
the
ties
and
getting
used
to
things
so
so,
first
of
all,
in
any
other
business,
is
there
any
sort
of
items
that
were
not
on
the
agenda
that
are
particularly
pertinent
that
anybody
wants
to
bring
up.
D
A
Go
instantly
if
anybody
does
any
talks,
or
you
know
podcasts
or
anything
like
that,
around
sixth
or
just
tag
project
six
store
and
we'll
get
it
we're
going
to
retweet
it
any
other
interesting
talks
coming
up
dan.
You
have
anything
you're,
usually
quite
busy
with
podcasts,
and
there
is
something
we're
doing
soon
isn't
it.
Then
I
saw
somebody
around
cicd
and
secure
supply
chain.
D
A
A
Okay,
the
weeks
are
a
blower
I
got
included
to
rsa,
which
would
be
interesting.
A
A
D
D
A
A
A
Okay,
so
anybody
like
to
sort
of
say,
hi
and
you
know,
introduce
yourself
to
the
community,
as
I
said
you
don't
have
to,
but
sometimes
it's
a
good
way
of
kind
of
getting
getting
involved.
Getting
yourself
known.
E
Hey
everyone,
my
name
is
hayden
blousfern.
I
just
recently
joined
the
open
source
security
team
at
google.
I've
been
at
google
for
about
three
and
a
half
years.
I've
worked
on
a
couple
of
google's
cloud
cas,
one
of
which
was
a
component
of
antho
service
mesh,
and
I
also
worked
on
certificate
authority
service
which,
as
I
understand,
we
are
actively
moving
off
beta
onto
v1
for
falsia,
so
yeah.
I
definitely
have
an
interest
in
helping
out
wherever
I
can,
with
sig
store.
A
Yeah
definitely
like
those
full
seo
issues
that
we
raised
earlier,
that
the
test
harness
there's
scott's
working
on
the
1.0
port
for
the
gcpca
and
yeah
yeah
that'd
be
great
good
to
have
you
hayden.
E
A
No
okay,
that's
perfectly
good,
so
we
can
conclude
there
and
I'll
see
you
next
week
and
it's
lovely
to
see
you
all
take
care.
Thank
you
all
bye.