Verify Keyless Package Signatures
What you’ll accomplish
Section titled “What you’ll accomplish”UDS CLI validates package signatures when it creates, inspects, or deploys packages from a bundle. By the end of this guide you’ll know how to:
- Verify a package with Sigstore keyless certificate identity and issuer constraints
- Configure exact-match or regex-based keyless constraints
- Add advanced keyless options when your environment requires them
- Disable package signature validation only when you explicitly accept that risk
Prerequisites
Section titled “Prerequisites”- UDS CLI installed
- A
uds-bundle.yamlreferencing one or more keyless-signed Zarf packages - The expected signing certificate identity and OIDC issuer from the package publisher
Before you begin
Section titled “Before you begin”Keyless package signature verification is configured per package in uds-bundle.yaml with keylessVerification.
Keyless verification requires one certificate identity constraint and one OIDC issuer constraint. Use exact-match fields when the publisher’s signing identity is stable. Use regex fields when the trusted identity changes predictably, such as a release workflow identity that includes a version tag.
packages: - name: example repository: ghcr.io/example/package ref: 1.0.0 keylessVerification: certificateIdentity: https://github.com/example/repo/.github/workflows/release.yml@refs/tags/v1.0.0 certificateOIDCIssuer: https://token.actions.githubusercontent.com-
Get the expected signing identity
Ask the package publisher for the certificate identity and OIDC issuer used to sign the package. For GitHub Actions keyless signing, the issuer is commonly
https://token.actions.githubusercontent.com. -
Configure keyless verification
Add
keylessVerificationto the package entry with certificate identity and OIDC issuer constraints:uds-bundle.yaml kind: UDSBundlemetadata:name: keyless-package-exampleversion: 0.0.1packages:- name: initrepository: ghcr.io/zarf-dev/packages/initref: v0.77.0keylessVerification:certificateIdentityRegexp: https://github\.com/zarf-dev/zarf/\.github/workflows/release\.yml@refs/tags/v\d+\.\d+\.\d+certificateOIDCIssuer: https://token.actions.githubusercontent.comKeyless verification requires one identity field and one issuer field:
Required constraint Exact match Regex match Certificate identity certificateIdentitycertificateIdentityRegexpOIDC issuer certificateOIDCIssuercertificateOIDCIssuerRegexpUse exact matches when the signing identity is stable. Use regex matches when the trusted identity changes predictably, such as a release workflow identity that includes a version tag.
-
Add advanced keyless options only when needed
Most keyless verification should use the default trusted root and transparency log verification. Add these fields only when the package publisher or your environment requires them:
uds-bundle.yaml packages:- name: private-packagerepository: registry.example.com/packages/private-packageref: 1.0.0keylessVerification:certificateIdentity: https://github.com/example/repo/.github/workflows/release.yml@refs/tags/v1.0.0certificateOIDCIssuer: https://token.actions.githubusercontent.comtrustedRoot: |<sigstore-trusted-root-json>useSignedTimestamps: trueinsecureIgnoreTlog: true -
Run a UDS CLI command that verifies package signatures
Package signatures are verified automatically during bundle create, inspect, and deploy operations unless signature validation is skipped. Use the commands in the Verification section to confirm the configuration works.
Verification
Section titled “Verification”Inspect the bundle configuration before creating the bundle:
uds inspect uds-bundle.yamlCreate the bundle:
uds create . --confirmDeploy the bundle without --skip-signature-validation:
uds deploy uds-bundle.tar.zst --confirmIf verification fails, UDS CLI stops before continuing with the package operation.
To bypass package signature verification, use --skip-signature-validation:
uds inspect uds-bundle.yaml --skip-signature-validationTroubleshooting
Section titled “Troubleshooting”Problem: Keyless verification is missing identity or issuer
Section titled “Problem: Keyless verification is missing identity or issuer”Symptom: UDS CLI returns an error saying keyless verification requires certificate identity or OIDC issuer configuration.
Solution: Set one identity field (certificateIdentity or certificateIdentityRegexp) and one issuer field (certificateOIDCIssuer or certificateOIDCIssuerRegexp).
Problem: Package is signed but keyless verification is not configured
Section titled “Problem: Package is signed but keyless verification is not configured”Symptom: UDS CLI returns an error saying the package is signed but no verification material was provided.
Solution: Add keylessVerification for the signed package, or use --skip-signature-validation only if you have verified the package through another trusted process.