Skip to content

docs: add signing-config and trusted-root workflow for self-hosted infrastructure#428

Open
andrewdunndev wants to merge 1 commit intosigstore:mainfrom
andrewdunndev:add-self-hosted-signing-config
Open

docs: add signing-config and trusted-root workflow for self-hosted infrastructure#428
andrewdunndev wants to merge 1 commit intosigstore:mainfrom
andrewdunndev:add-self-hosted-signing-config

Conversation

@andrewdunndev
Copy link
Copy Markdown

@andrewdunndev andrewdunndev commented Apr 16, 2026

Summary

Expand the "Configuring Cosign with Custom Components" page with
documentation for the cosign v3 signing-config and trusted-root
workflow.

What does this PR do?

Adds a new section to custom_components.md covering:

  • cosign signing-config create for specifying self-hosted service
    endpoints (Fulcio, Rekor, OIDC provider)
  • cosign trusted-root create for assembling verification material
  • The signing and verification workflow using --signing-config and
    --trusted-root flags
  • A note on --use-signing-config=false for using legacy URL flags

This expands on the existing Option 3 (manual trusted root) by
adding the signing-config side and showing the complete workflow.

What was validated

Tested end-to-end with cosign v3.0.6 against a self-hosted Fulcio
v1.6.6 and Rekor v1.3.8 stack. Signing and verification both
succeeded using the documented commands.

Notes

  • The --oidc-client-id flag is not yet part of the signing config
    format. The section notes this as a current limitation.
  • The key-value pairs for trusted-root create differ from
    signing-config create (e.g., certificate-chain vs
    api-version). The section includes a table documenting these
    differences.

Signed-off-by: Andrew Dunn andunn@gitlab.com

@andrewdunndev
docs: add signing-config and trusted-root workflow for self-hosted in…
ec95fd9 
…frastructure

Expand the custom components page with documentation for the cosign v3
signing-config and trusted-root workflow. This covers creating signing
configurations, assembling trusted roots, and the signing/verification
flow for self-hosted Sigstore infrastructure.

Tested with cosign v3.0.6 against self-hosted Fulcio v1.6.6 and
Rekor v1.3.8.

Signed-off-by: Andrew Dunn <andrew@dunn.dev>
@netlify
Copy link
Copy Markdown

netlify Bot commented Apr 16, 2026
edited
Loading

Deploy Preview for docssigstore ready!

Name Link
🔨 Latest commit ec95fd9
🔍 Latest deploy log https://app.netlify.com/projects/docssigstore/deploys/69e06573cb508e00095218ca
😎 Deploy Preview https://deploy-preview-428--docssigstore.netlify.app
📱 Preview on mobile
Toggle QR Code...

QR Code

Use your smartphone camera to open QR code link.

To edit notification comments on pull requests, go to your Netlify project configuration.

Hayden-IO
Hayden-IO reviewed Apr 16, 2026
View reviewed changes
Comment thread content/en/cosign/system_config/custom_components.md
artifact.txt
```

### Use URL flags with cosign v3
Copy link
Copy Markdown
Contributor

@Hayden-IO Hayden-IO Apr 16, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

While this is supported, this is not the primary recommendation so it shouldn't be in documentation.

Copy link
Copy Markdown
Contributor

@ltagliaferri ltagliaferri Apr 24, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@andrewdunndev can you remove this?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@ltagliaferri ltagliaferri ltagliaferri left review comments

@Hayden-IO Hayden-IO Hayden-IO left review comments

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@andrewdunndev @ltagliaferri @Hayden-IO