We'd like to use CoSign to sign our docker image builds. CoSign supports Keyless Signing with Fulcio through OIDC identities (Documentation). However it is required that the `aud` claim is set to "sigstore". Currently it's not possible to configure any of the claims in the JWT which is a blocker.
GitLab and GitHub already support configurable audience claims in their tokens, see:
- https://docs.gitlab.com/ee/ci/secrets/id_token_authentication.html#id-tokens
I hope Bitbucket will put configurable JWT claims on their roadmap.
Agreed. In the age of DevSecOps, Bitbucket lacking this makes me want to help my company choose another provider that has modern security options.
Online forums and learning are now in one easy-to-use experience.
By continuing, you accept the updated Community Terms of Use and acknowledge the Privacy Policy. Your public name, photo, and achievements may be publicly visible and available in search engines.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.