From 7fa5364f72dc2c306293f93174b04894060b64a8 Mon Sep 17 00:00:00 2001
From: Dimitri John Ledkov <dimitri.ledkov@chainguard.dev>
Date: Wed, 3 Dec 2025 14:02:53 +0000
Subject: [PATCH] Add universal chainguard enforce commit signing config

This adds a universal chianguard enforce commit signing config. This
supports all keyless and github verified signing methods, and covers
all humans and trusted robots.

Such config is universal, and will continue to work across repository
renames and moves.

If desired, the config can be locked down further but so far we
haven't managed to make enforce a required check but hopefully such
wide policy can actually be ratcheted to be made required as any and
all signing methods are supported and trusted.
---
 .chainguard/source.yaml | 19 +++++++++++++++++++
 1 file changed, 19 insertions(+)
 create mode 100644 .chainguard/source.yaml

diff --git a/.chainguard/source.yaml b/.chainguard/source.yaml
new file mode 100644
index 0000000..1519a68
--- /dev/null
+++ b/.chainguard/source.yaml
@@ -0,0 +1,19 @@
+# Copyright 2025 Chainguard, Inc.
+# SPDX-License-Identifier: Apache-2.0
+
+spec:
+  authorities:
+    - keyless:
+        url: https://fulcio.sigstore.dev
+        identities:
+          # Humans
+          - issuer: https://github.com/login/oauth
+          # Humans and service accounts
+          - issuer: https://accounts.google.com
+          # Github actions
+          - issuer: https://token.actions.githubusercontent.com
+      ctlog:
+        url: https://rekor.sigstore.dev
+  # Any github verified
+  github:
+    verified: true