diff --git a/KEYLESS.md b/KEYLESS.md index 1fa557eef033..e06a9e7f7f2b 100644 --- a/KEYLESS.md +++ b/KEYLESS.md @@ -116,6 +116,31 @@ Signature timestamps are checked in the [rekor](/~https://github.com/sigstore/reko * Probably a lot more: This is very experimental. * More OIDC providers: Obvious. +## Public Staging Environment + +There is a public staging environment that is running Fulcio, Rekor and OIDC issuer endpoints at + +* https://fulcio.sigstage.dev +* https://rekor.sigstage.dev +* https://oauth2.sigstage.dev/auth + +These instances are operated and maintained in the same manner as the public production environment for Sigstore. + +### Usage + +To use this instance, follow the steps below: + +1. `rm -r ~/.sigstore` +1. `gsutil cp -r gs://tuf-root-staging .` +1. `cd tuf-root-staging` +1. `cosign initialize --mirror=tuf-root-staging --root=root.json` +1. `COSIGN_EXPERIMENTAL=1 cosign sign --oidc-issuer "https://oauth2.sigstage.dev/auth" --fulcio-url "https://fulcio.sigstage.dev" --rekor-url "https://rekor.sigstage.dev" ${IMAGE}` +1. `COSIGN_EXPERIMENTAL=1 cosign verify --rekor-url "https://rekor.sigstage.dev" ${IMAGE}` + +* Steps 1-4 configures your local environment to use the staging keys and certificates. +* Steps 5 specify the staging environment with flags needed for signing. +* Steps 6 specify the staging environment with flags needed for verifying. + ## Custom Infrastructure If you're running your own sigstore services flags are available to set your own endpoint's, e.g