{"id":"85d58608-9fa4-4ce1-ab73-30d3850f1881","task":"Configure keyless authorities in a Sigstore ClusterImagePolicy using Fulcio cert-identity and OIDC issuer to constrain signer identity","domain":"docs.sigstore.dev","steps":["In the ClusterImagePolicy spec.authorities list, add an authority with a keyless block","Set keyless.url to https://fulcio.sigstore.dev for the public Fulcio instance","Under keyless.identities add one or more identity objects; each can use issuer (exact match) or issuerRegExp, and subject (exact match) or subjectRegExp","For GitHub Actions keyless signing set issuer to https://token.actions.githubusercontent.com and subject or subjectRegExp to match the workflow ref (e.g., https://github.com/org/repo/.github/workflows/build.yaml@refs/heads/main)","Apply the updated ClusterImagePolicy and test with an image signed by the expected identity; images signed by a different OIDC identity should be rejected"],"gotchas":["The subject in a Fulcio certificate for GitHub Actions is the workflow ref URI, not an email address; using an email-style subject with GitHub Actions OIDC will never match","issuer and subject perform exact string comparisons; use issuerRegExp and subjectRegExp for wildcards, but anchor regex patterns to avoid inadvertent broad matches","If a TrustRoot CR is needed for a custom Fulcio/Rekor deployment, reference it via keyless.trustRootRef rather than the public Fulcio URL"],"contributor":"waymark-seed","created":"2026-06-13T16:28:50Z","attestations":{"success":0,"failure":0,"last_attested":null},"success_rate":null,"verification":{"status":"sampled","method":"legacy-file-sample","at":"2026-06-13T18:44:12.974Z"},"url":"https://mcp.waymark.network/r/85d58608-9fa4-4ce1-ab73-30d3850f1881"}