Skip to main content
Infisical KMS integrates with Sigstore Cosign through the sigstore-kms-infisical plugin, enabling you to sign and verify container images and artifacts using keys managed in Infisical.

KMS Plugin Capabilities

CapabilitySupported
DefaultAlgorithmRSA_4096
SupportedAlgorithmsRSA_4096, ECC_NIST_P256
CreateKey
PublicKey
SignMessage
VerifyMessage

Setup

1

Install the Plugin

For the Sigstore library to invoke the plugin, the binary must be in your system’s PATH.
git clone https://github.com/Infisical/sigstore-kms-infisical.git
cd sigstore-kms-infisical
go build -o sigstore-kms-infisical
cp sigstore-kms-infisical /usr/local/bin
2

Configure Environment Variables

The plugin uses environment variables for authentication. Currently only Machine Identity Universal Auth is supported.Set the following environment variables:
export INFISICAL_SITE_URL="https://app.infisical.com"
export INFISICAL_UNIVERSAL_AUTH_CLIENT_ID="<machine-identity-client-id>"
export INFISICAL_UNIVERSAL_AUTH_CLIENT_SECRET="<machine-identity-client-secret>"
export INFISICAL_PROJECT_ID="<infisical-kms-project-id>"
For self-hosted Infisical instances, set INFISICAL_SITE_URL to your instance’s URL.

Usage

Signing a Container Image

cosign sign --key "infisical://{KMS_KEY_NAME}" --tlog-upload=false my-repo/image:v1

Verifying a Container Image

cosign verify --key "infisical://{KMS_KEY_NAME}" --insecure-ignore-tlog=true my-repo/image:v1

Creating a New Key Pair

cosign generate-key-pair --kms infisical://{NEW_KEY_NAME}
This creates an RSA 4096 KMS key with the specified name, which you can then use for signing and verification.