Remote Signing of Attestations using Chainloop and SignServer

This integration allows users to send the attestation payload to a SignServer worker before sending it to Chainloop for storage. Think of this as a KMS-like approach, where the client environment can access the PKI infrastructure and send the data for remote signing.

Some of the benefits of this approach, as compared to the EJBCA approach:

The key can be stored on Hardware Security Modules (HSMs) where the signing takes place for additional security
You can leverage this key for signing with additional SignServer workers to handle other artifacts from the pipeline, such as binaries, documents, and more.

Prerequisites

Before you begin, you need:

A running SignServer instance - Click to learn more

If you don’t already have SignServer installed, here are some options for you:

Download SignServer - Free and open-source SignServer Community version
- There are tutorials to help you, for example, see this one on how to run the SignServer Docker container: Quick Start Guide - Start SignServer Container with Client Certificate Authenticated Access.
Try on AWS - Free 30-day trial SignServer Cloud on AWS
Try on Azure - Free 30-day trial SignServer Cloud on Azure

Crypto and Signing workers configured in SignServer. You can follow the Tutorial - SignServer Container Signing with Cosign, since the steps for worker configuration are similar.
- Once you have it configured, you can reach SignServer signer worker at, for example, https://mysignserver/PlainSigner.
A running Chainloop instance. To deploy it, you can either run a local instance using this docker compose file or in a Kubernetes Cluster using the Chainloop Helm Chart.

How to Use SignServer for attestation signing

The Chainloop CLI can sign attestations using a preconfigured SignServer instance, by providing a key reference during the signing process:

CODE

> chainloop attestation push --key signserver://mysignserver/PlainSigner --signserver-ca-path mysignserver-chain.pem

The integration will send the payload to sign to SignServer, retrieve the signature, and craft and store the attestation DSSE envelope.

To verify the payload, instruct Chainloop to do it using the public key and CA chain. The CA chain is provided by EJBCA which also issued the signing certificate to the SignServer worker.
> chainloop workflow run describe --digest sha256:a1b2c3 \\
--verify true \\
--cert my-worker-key.pem \\
--chain ManagementCA.pem

To learn more about the integration and see examples, refer to the How-to guide: Use Keyfactor SignServer for attestation signing in the Chainloop documentation.

Next steps

In this guide, you learned how to use Chainloop and SignServer to sign attestations.

Here are some next steps we recommend:

If you are interested in SignServer Enterprise, read more on Keyfactor SignServer Enterprise.

If you are interested in SignServer Community, check out SignServer Community vs Enterprise or read more on signserver.org.
If you are a SignServer Enterprise customer and need support, visit the Keyfactor Support Portal.
Discuss with the SignServer Community on GitHub Discussions.