Sigstore KMS Plugin for Infisical
Supports cosign image and artifact signing with Infisical KMS, using the Infisical Go SDK
| Capability | Compatibility |
|---|---|
| DefaultAlgorithm | RSA_4096 |
| SupportedAlgorithm | RSA_4096, ECC_NIST_P256 |
| CreateKey | ✔️ |
| PublicKey | ✔️ |
| SignMessage | ✔️ |
| VerifyMessage | ✔️ |
| CryptoSigner | ❌ |
For the sigstore library to invoke the plugin, the binary must be in your system's PATH.
git clone https://github.com/Infisical/sigstore-kms-infisical.git
cd sigstore-kms-infisical
go build -o sigstore-kms-infisical
cp sigstore-kms-infisical /usr/local/binThe Infisical KMS plugin relies on environment variables, and therefore must be set prior to running cosign with the plugin. Currently the plugin only support Machine Identity Universal Auth for authentication. More authentication methods will be added in the future.
These are the minimum variables required
INFISICAL_SITE_URL="https://app.infisical.com"
INFISICAL_UNIVERSAL_AUTH_CLIENT_ID="<machine-identity-client-id>"
INFISICAL_UNIVERSAL_AUTH_CLIENT_SECRET="<machine-identity-client-id>"
INFISICAL_PROJECT_ID="<infisical-kms-project-id>"cosign sign --key "infisical://{KMS_KEY_NAME}" --tlog-upload=false my-repo/image:v1cosign verify --key "infisical://{KMS_KEY_NAME}" --insecure-ignore-tlog=true my-repo/image:v1cosign generate-key-pair --kms infisical://{NEW_KEY_TO_BE_CREATED}The above will create an RSA 4096 KMS key with name NEW_KEY_TO_BE_CREATED, which you can then subsequently use to sign and verify with.