sigstore-kms-ovhcloud

Sigstore KMS plugin for OVHcloud KMS.

Table of Contents

• Installation
  • Installation command
  • Binary download
  • Install from the source
• Configuration
  • mTLS authentication
  • Token authentication
• Usage
• Related links

Installation

To permit sigstore to use the plugin, the binary must be in your system's PATH.

Installation command

curl -fsSL https://raw.githubusercontent.com/ovh/sigstore-kms-ovhcloud/main/install.sh | sh

The binary is installed in $HOME/.local/bin by default (created if it does not exist). Make sure this directory is in your PATH.

Install a specific version:

curl -fsSL https://raw.githubusercontent.com/ovh/sigstore-kms-ovhcloud/main/install.sh | sh -s <version>

Custom installation directory:

curl -fsSL https://raw.githubusercontent.com/ovh/sigstore-kms-ovhcloud/main/install.sh | sh -s -- -b <path>

Binary download

1. Download latest release
2. Untar / unzip the archive
3. Add the containing folder to your PATH environment variable, or move the binary into a directory that is already in your PATH

Install from the source

Requires Go to be installed on your system.

Using go install:

go install github.com/ovh/sigstore-kms-ovhcloud/cmd/sigstore-kms-ovhcloud@latest

Using make:

git clone https://github.com/ovh/sigstore-kms-ovhcloud.git
cd sigstore-kms-ovhcloud
make install # installs to /usr/local/bin by default
# or:
make install PREFIX=$HOME/.local # installs to $HOME/.local/bin

Configuration

OVH provider supports both mTLS and token authentication.

Default settings can be set using a configuration file named okms.yaml and located in the ${HOME}/.ovh-kms directory. If you don't wish to use this default file, you can create your own and specify the full path in the KMS_CONFIG environment variable.

mTLS authentication

Example of okms.yaml:

version: 1
profile: default # Name of the active profile
profiles:
  default:
    restapi:
      endpoint: <kms-endpoint> # for example: "https://eu-west-rbx.okms.ovh.net"
      ca: /path/to/public-ca.crt # Optional if the CA is in system store
      auth:
        cert: /path/to/domain/cert.pem
        key: /path/to/domain/key.pem

These settings can be overwritten using environment variables:

• KMS_RESTAPI_ENDPOINT
• KMS_RESTAPI_CA
• KMS_RESTAPI_CERT
• KMS_RESTAPI_KEY

Token authentication

Example of okms.yaml:

version: 1
profile: default # Name of the active profile
profiles:
  default:
    restapi:
      endpoint: <kms-endpoint> # for example: "https://eu-west-rbx.okms.ovh.net"
      ca: /path/to/public-ca.crt # Optional if the CA is in system store
      auth:
        type: token
        token: <token>
        okmsId: <okms-id> # for example: "734b9b45-8b1a-469c-b140-b10bd6540017"

These settings can be overwritten using environment variables:

• KMS_RESTAPI_ENDPOINT
• KMS_RESTAPI_CA
• KMS_RESTAPI_TYPE
• KMS_RESTAPI_OKMSID
• KMS_RESTAPI_TOKEN

Usage

The plugin uses the ovhcloud:// URI scheme followed by the specific key UUID you want to use for cryptographic operations.

URI format : ovhcloud://<key_uuid>

Generating a key pair

cosign generate-key-pair --kms ovhcloud://<key_name>

Extracting the public key

cosign public-key --key ovhcloud://<key_id>

Docker image

Signing

cosign sign --key ovhcloud://<key_id> <my_image>@<image_digest>

Verifying

cosign verify --key ovhcloud://<key_id> <my_image>@<image_digest>

Related links

• Contribute: https://github.com/ovh/sigstore-kms-ovhcloud/blob/master/CONTRIBUTING.md
• Report bugs: https://github.com/ovh/sigstore-kms-ovhcloud/issues