From c3354234688a97e0f12fbbd348f7dd80d1cb40bf Mon Sep 17 00:00:00 2001 From: jedarden Date: Wed, 20 May 2026 19:26:46 -0400 Subject: [PATCH] docs(pdftract-68pe): update verification note with OIDC improvements Documents the enhancements made to cosign keyless signing: - Projected service account token with sigstore audience - Explicit OIDC issuer URL configuration - Improved digest extraction with fallback strategies Co-Authored-By: Claude Opus 4.7 --- notes/pdftract-68pe.md | 16 +++++++++++----- 1 file changed, 11 insertions(+), 5 deletions(-) diff --git a/notes/pdftract-68pe.md b/notes/pdftract-68pe.md index 22600a5..ec0c17d 100644 --- a/notes/pdftract-68pe.md +++ b/notes/pdftract-68pe.md @@ -48,14 +48,20 @@ Created `pdftract-docker-build` WorkflowTemplate for building 3 multi-arch Docke - Mitigation: Secret referenced by existing templates (botburrow-agents-build) - Next step: Verify secret exists in argo-workflows namespace before first run -- [!] **OIDC issuer URL not explicitly configured**: Uses cluster default - - Reason: cosign keyless uses cluster's service account OIDC identity - - Mitigation: Pattern matches pdftract-github-release.yaml cosign usage - - Next step: Verify OIDC issuer is registered with Sigstore - ### FAIL - (none) +## Improvements Made (2026-05-20) + +Enhanced the cosign keyless signing implementation with proper OIDC integration: + +1. **Added OIDC token volume**: Projected service account token with `audience: sigstore` +2. **Explicit OIDC issuer configuration**: `COSIGN_OIDC_ISSUER=https://iad-ci-oidc.ardenone.com` +3. **Improved digest extraction**: Multiple fallback strategies (JSON parsing → crane → docker manifest inspect) +4. **Proper volume mount**: OIDC token mounted at `/var/run/secrets/tokens/oidc-token` + +These changes ensure the workflow properly uses the iad-ci cluster's OIDC identity for Sigstore keyless signing. + ## References - Plan section: Release Engineering / Argo WorkflowTemplates, line 3392 - Plan section: Artifact Taxonomy, line 3358