Creating an integration with a signature verification module

To add an integration with an image signature validator:

1. In the Administration → Integrations → Image signature validators section, click the Add signature validator button.

   The integration settings window opens.

2. In the General information section, enter a policy name and, if necessary, a policy description.
3. In the Type section, select one of the following signature validators:
   • Notary v1.
   • Cosign.
4. Depending on the selected signature validator, specify the server authentication credentials:
   • For Notary v1, specify the following settings:
     • Web address – the full web address of the server where image signatures are stored.
     • Signature server authentication secret name – the name of the orchestrator secret with credentials for accessing the server where image signatures are stored.

       The secret must be in the Kaspersky Container Security namespace.

     • Certificate – a self-generated certificate for the server where signatures are stored. The certificate is provided in .PEM format.
     • Delegations – list of signature holders participating in the signing process.
     • In the Trusted root keys section, specify the pairs of all public keys that the solution will check during signature verification. A key pair includes the name and value of the key.

       If necessary, you can add additional keys by clicking the Add key pair button. The solution supports up to 20 key pairs.

   • For Cosign, specify the following settings:
     • Signature server authentication secret name – the name of the orchestrator secret with credentials for accessing the server where image signatures are stored.

       The secret must be in the Kaspersky Container Security namespace.

     • Certificate – a self-generated certificate for the server where signatures are stored. The certificate is provided in .PEM format.
     • In the Trusted root keys section, specify the pairs of all public keys that the solution will check during signature verification. A key pair includes the name and value of the key.

       For Cosign, specify the public keys for the ECDSA or RSA algorithms provided by cosign.pub.

       If necessary, you can add additional keys by clicking the Add key pair button. The solution supports up to 20 key pairs.

     • In the Signature requirements section, specify the minimum number of signatures and signature holders who must sign the image.
5. Click the Save button in the top of the window to save the settings for integration with an image signature validator.

You can use the configured integration in runtime policies to ensure protection of the image content.