We'd like to use CoSign to sign our docker image builds. CoSign supports Keyless Signing with Fulcio through OIDC identities (Documentation). However it is required that the `aud` claim is set to "sigstore". Currently it's not possible to configure any of the claims in the JWT which is a blocker.
GitLab and GitHub already support configurable audience claims in their tokens, see:
- https://docs.gitlab.com/ee/ci/secrets/id_token_authentication.html#id-tokens
I hope Bitbucket will put configurable JWT claims on their roadmap.
Agreed. In the age of DevSecOps, Bitbucket lacking this makes me want to help my company choose another provider that has modern security options.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.