From fb6eaa0240788ecbe5b773e27aadab52d1cf07b9 Mon Sep 17 00:00:00 2001
From: Kim Christensen <kimworking@gmail.com>
Date: Wed, 1 May 2024 00:40:37 +0200
Subject: [PATCH] Make Connect function check if signing tools are available

Signed-off-by: Kim Christensen <kimworking@gmail.com>
---
 pkg/signing/plugin_adapter.go                 |   4 +
 pkg/signing/plugins/cosign/cosign.go          |   6 +-
 pkg/signing/plugins/notation/notation.go      |   5 +-
 .../plugins/proto/signing_protocol.pb.go      | 174 ++++++++++++++----
 .../plugins/proto/signing_protocol.proto      |   5 +
 .../plugins/proto/signing_protocol_grpc.pb.go |  36 ++++
 pkg/signing/plugins/signing_protocol.go       |   2 +
 pkg/signing/pluginstore/grpc.go               |  14 ++
 pkg/signing/pluginstore/signer.go             |   4 +
 pkg/signing/signer.go                         |   2 +
 10 files changed, 217 insertions(+), 35 deletions(-)

diff --git a/pkg/signing/plugin_adapter.go b/pkg/signing/plugin_adapter.go
index cef3f4241..1b116a716 100644
--- a/pkg/signing/plugin_adapter.go
+++ b/pkg/signing/plugin_adapter.go
@@ -34,3 +34,7 @@ func (a PluginAdapter) Sign(ctx context.Context, ref string) error {
 func (a PluginAdapter) Verify(ctx context.Context, ref string) error {
 	return a.plugin.Verify(ctx, ref)
 }
+
+func (a PluginAdapter) Connect(ctx context.Context) error {
+	return a.plugin.Connect(ctx)
+}
diff --git a/pkg/signing/plugins/cosign/cosign.go b/pkg/signing/plugins/cosign/cosign.go
index 9d11cf494..6dbe81f8d 100644
--- a/pkg/signing/plugins/cosign/cosign.go
+++ b/pkg/signing/plugins/cosign/cosign.go
@@ -2,6 +2,7 @@ package cosign
 
 import (
 	"context"
+	"errors"
 	"fmt"
 	"os"
 	"os/exec"
@@ -35,13 +36,14 @@ func NewSigner(c *portercontext.Context, cfg PluginConfig) *Cosign {
 	return s
 }
 
-// TODO: we should get the certificate... here?
 func (s *Cosign) Connect(ctx context.Context) error {
 	//lint:ignore SA4006 ignore unused ctx for now
 	ctx, log := tracing.StartSpan(ctx)
 	defer log.EndSpan()
 
-	log.Debug("Running cosign signer")
+	if err := exec.Command("cosign", "version").Run(); err != nil {
+		return errors.New("cosign was not found")
+	}
 
 	return nil
 }
diff --git a/pkg/signing/plugins/notation/notation.go b/pkg/signing/plugins/notation/notation.go
index 433cdd400..66cea612c 100644
--- a/pkg/signing/plugins/notation/notation.go
+++ b/pkg/signing/plugins/notation/notation.go
@@ -2,6 +2,7 @@ package notation
 
 import (
 	"context"
+	"errors"
 	"fmt"
 	"os/exec"
 
@@ -33,7 +34,9 @@ func (s *Signer) Connect(ctx context.Context) error {
 	ctx, log := tracing.StartSpan(ctx)
 	defer log.EndSpan()
 
-	log.Debug("Running notation signer")
+	if err := exec.Command("notation", "version").Run(); err != nil {
+		return errors.New("notation was not found")
+	}
 
 	return nil
 }
diff --git a/pkg/signing/plugins/proto/signing_protocol.pb.go b/pkg/signing/plugins/proto/signing_protocol.pb.go
index f9c0c1775..a18e5bac4 100644
--- a/pkg/signing/plugins/proto/signing_protocol.pb.go
+++ b/pkg/signing/plugins/proto/signing_protocol.pb.go
@@ -114,6 +114,44 @@ func (x *VerifyRequest) GetRef() string {
 	return ""
 }
 
+type ConnectRequest struct {
+	state         protoimpl.MessageState
+	sizeCache     protoimpl.SizeCache
+	unknownFields protoimpl.UnknownFields
+}
+
+func (x *ConnectRequest) Reset() {
+	*x = ConnectRequest{}
+	if protoimpl.UnsafeEnabled {
+		mi := &file_signing_protocol_proto_msgTypes[2]
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		ms.StoreMessageInfo(mi)
+	}
+}
+
+func (x *ConnectRequest) String() string {
+	return protoimpl.X.MessageStringOf(x)
+}
+
+func (*ConnectRequest) ProtoMessage() {}
+
+func (x *ConnectRequest) ProtoReflect() protoreflect.Message {
+	mi := &file_signing_protocol_proto_msgTypes[2]
+	if protoimpl.UnsafeEnabled && x != nil {
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		if ms.LoadMessageInfo() == nil {
+			ms.StoreMessageInfo(mi)
+		}
+		return ms
+	}
+	return mi.MessageOf(x)
+}
+
+// Deprecated: Use ConnectRequest.ProtoReflect.Descriptor instead.
+func (*ConnectRequest) Descriptor() ([]byte, []int) {
+	return file_signing_protocol_proto_rawDescGZIP(), []int{2}
+}
+
 type SignResponse struct {
 	state         protoimpl.MessageState
 	sizeCache     protoimpl.SizeCache
@@ -123,7 +161,7 @@ type SignResponse struct {
 func (x *SignResponse) Reset() {
 	*x = SignResponse{}
 	if protoimpl.UnsafeEnabled {
-		mi := &file_signing_protocol_proto_msgTypes[2]
+		mi := &file_signing_protocol_proto_msgTypes[3]
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		ms.StoreMessageInfo(mi)
 	}
@@ -136,7 +174,7 @@ func (x *SignResponse) String() string {
 func (*SignResponse) ProtoMessage() {}
 
 func (x *SignResponse) ProtoReflect() protoreflect.Message {
-	mi := &file_signing_protocol_proto_msgTypes[2]
+	mi := &file_signing_protocol_proto_msgTypes[3]
 	if protoimpl.UnsafeEnabled && x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
@@ -149,7 +187,7 @@ func (x *SignResponse) ProtoReflect() protoreflect.Message {
 
 // Deprecated: Use SignResponse.ProtoReflect.Descriptor instead.
 func (*SignResponse) Descriptor() ([]byte, []int) {
-	return file_signing_protocol_proto_rawDescGZIP(), []int{2}
+	return file_signing_protocol_proto_rawDescGZIP(), []int{3}
 }
 
 type VerifyResponse struct {
@@ -161,7 +199,7 @@ type VerifyResponse struct {
 func (x *VerifyResponse) Reset() {
 	*x = VerifyResponse{}
 	if protoimpl.UnsafeEnabled {
-		mi := &file_signing_protocol_proto_msgTypes[3]
+		mi := &file_signing_protocol_proto_msgTypes[4]
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		ms.StoreMessageInfo(mi)
 	}
@@ -174,7 +212,7 @@ func (x *VerifyResponse) String() string {
 func (*VerifyResponse) ProtoMessage() {}
 
 func (x *VerifyResponse) ProtoReflect() protoreflect.Message {
-	mi := &file_signing_protocol_proto_msgTypes[3]
+	mi := &file_signing_protocol_proto_msgTypes[4]
 	if protoimpl.UnsafeEnabled && x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
@@ -187,7 +225,45 @@ func (x *VerifyResponse) ProtoReflect() protoreflect.Message {
 
 // Deprecated: Use VerifyResponse.ProtoReflect.Descriptor instead.
 func (*VerifyResponse) Descriptor() ([]byte, []int) {
-	return file_signing_protocol_proto_rawDescGZIP(), []int{3}
+	return file_signing_protocol_proto_rawDescGZIP(), []int{4}
+}
+
+type ConnectResponse struct {
+	state         protoimpl.MessageState
+	sizeCache     protoimpl.SizeCache
+	unknownFields protoimpl.UnknownFields
+}
+
+func (x *ConnectResponse) Reset() {
+	*x = ConnectResponse{}
+	if protoimpl.UnsafeEnabled {
+		mi := &file_signing_protocol_proto_msgTypes[5]
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		ms.StoreMessageInfo(mi)
+	}
+}
+
+func (x *ConnectResponse) String() string {
+	return protoimpl.X.MessageStringOf(x)
+}
+
+func (*ConnectResponse) ProtoMessage() {}
+
+func (x *ConnectResponse) ProtoReflect() protoreflect.Message {
+	mi := &file_signing_protocol_proto_msgTypes[5]
+	if protoimpl.UnsafeEnabled && x != nil {
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		if ms.LoadMessageInfo() == nil {
+			ms.StoreMessageInfo(mi)
+		}
+		return ms
+	}
+	return mi.MessageOf(x)
+}
+
+// Deprecated: Use ConnectResponse.ProtoReflect.Descriptor instead.
+func (*ConnectResponse) Descriptor() ([]byte, []int) {
+	return file_signing_protocol_proto_rawDescGZIP(), []int{5}
 }
 
 var File_signing_protocol_proto protoreflect.FileDescriptor
@@ -199,21 +275,27 @@ var file_signing_protocol_proto_rawDesc = []byte{
 	0x12, 0x10, 0x0a, 0x03, 0x52, 0x65, 0x66, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x03, 0x52,
 	0x65, 0x66, 0x22, 0x21, 0x0a, 0x0d, 0x56, 0x65, 0x72, 0x69, 0x66, 0x79, 0x52, 0x65, 0x71, 0x75,
 	0x65, 0x73, 0x74, 0x12, 0x10, 0x0a, 0x03, 0x52, 0x65, 0x66, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09,
-	0x52, 0x03, 0x52, 0x65, 0x66, 0x22, 0x0e, 0x0a, 0x0c, 0x53, 0x69, 0x67, 0x6e, 0x52, 0x65, 0x73,
-	0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22, 0x10, 0x0a, 0x0e, 0x56, 0x65, 0x72, 0x69, 0x66, 0x79, 0x52,
-	0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x32, 0x81, 0x01, 0x0a, 0x0f, 0x53, 0x69, 0x67, 0x6e,
-	0x69, 0x6e, 0x67, 0x50, 0x72, 0x6f, 0x74, 0x6f, 0x63, 0x6f, 0x6c, 0x12, 0x33, 0x0a, 0x04, 0x53,
-	0x69, 0x67, 0x6e, 0x12, 0x14, 0x2e, 0x70, 0x6c, 0x75, 0x67, 0x69, 0x6e, 0x73, 0x2e, 0x53, 0x69,
-	0x67, 0x6e, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x15, 0x2e, 0x70, 0x6c, 0x75, 0x67,
-	0x69, 0x6e, 0x73, 0x2e, 0x53, 0x69, 0x67, 0x6e, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65,
-	0x12, 0x39, 0x0a, 0x06, 0x56, 0x65, 0x72, 0x69, 0x66, 0x79, 0x12, 0x16, 0x2e, 0x70, 0x6c, 0x75,
-	0x67, 0x69, 0x6e, 0x73, 0x2e, 0x56, 0x65, 0x72, 0x69, 0x66, 0x79, 0x52, 0x65, 0x71, 0x75, 0x65,
-	0x73, 0x74, 0x1a, 0x17, 0x2e, 0x70, 0x6c, 0x75, 0x67, 0x69, 0x6e, 0x73, 0x2e, 0x56, 0x65, 0x72,
-	0x69, 0x66, 0x79, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x42, 0x30, 0x5a, 0x2e, 0x67,
-	0x65, 0x74, 0x2e, 0x70, 0x6f, 0x72, 0x74, 0x65, 0x72, 0x2e, 0x73, 0x68, 0x2f, 0x70, 0x6f, 0x72,
-	0x74, 0x65, 0x72, 0x2f, 0x70, 0x6b, 0x67, 0x2f, 0x73, 0x69, 0x67, 0x6e, 0x69, 0x6e, 0x67, 0x2f,
-	0x70, 0x6c, 0x75, 0x67, 0x69, 0x6e, 0x73, 0x2f, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x06, 0x70,
-	0x72, 0x6f, 0x74, 0x6f, 0x33,
+	0x52, 0x03, 0x52, 0x65, 0x66, 0x22, 0x10, 0x0a, 0x0e, 0x43, 0x6f, 0x6e, 0x6e, 0x65, 0x63, 0x74,
+	0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x22, 0x0e, 0x0a, 0x0c, 0x53, 0x69, 0x67, 0x6e, 0x52,
+	0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22, 0x10, 0x0a, 0x0e, 0x56, 0x65, 0x72, 0x69, 0x66,
+	0x79, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22, 0x11, 0x0a, 0x0f, 0x43, 0x6f, 0x6e,
+	0x6e, 0x65, 0x63, 0x74, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x32, 0xbf, 0x01, 0x0a,
+	0x0f, 0x53, 0x69, 0x67, 0x6e, 0x69, 0x6e, 0x67, 0x50, 0x72, 0x6f, 0x74, 0x6f, 0x63, 0x6f, 0x6c,
+	0x12, 0x33, 0x0a, 0x04, 0x53, 0x69, 0x67, 0x6e, 0x12, 0x14, 0x2e, 0x70, 0x6c, 0x75, 0x67, 0x69,
+	0x6e, 0x73, 0x2e, 0x53, 0x69, 0x67, 0x6e, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x15,
+	0x2e, 0x70, 0x6c, 0x75, 0x67, 0x69, 0x6e, 0x73, 0x2e, 0x53, 0x69, 0x67, 0x6e, 0x52, 0x65, 0x73,
+	0x70, 0x6f, 0x6e, 0x73, 0x65, 0x12, 0x39, 0x0a, 0x06, 0x56, 0x65, 0x72, 0x69, 0x66, 0x79, 0x12,
+	0x16, 0x2e, 0x70, 0x6c, 0x75, 0x67, 0x69, 0x6e, 0x73, 0x2e, 0x56, 0x65, 0x72, 0x69, 0x66, 0x79,
+	0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x17, 0x2e, 0x70, 0x6c, 0x75, 0x67, 0x69, 0x6e,
+	0x73, 0x2e, 0x56, 0x65, 0x72, 0x69, 0x66, 0x79, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65,
+	0x12, 0x3c, 0x0a, 0x07, 0x43, 0x6f, 0x6e, 0x6e, 0x65, 0x63, 0x74, 0x12, 0x17, 0x2e, 0x70, 0x6c,
+	0x75, 0x67, 0x69, 0x6e, 0x73, 0x2e, 0x43, 0x6f, 0x6e, 0x6e, 0x65, 0x63, 0x74, 0x52, 0x65, 0x71,
+	0x75, 0x65, 0x73, 0x74, 0x1a, 0x18, 0x2e, 0x70, 0x6c, 0x75, 0x67, 0x69, 0x6e, 0x73, 0x2e, 0x43,
+	0x6f, 0x6e, 0x6e, 0x65, 0x63, 0x74, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x42, 0x30,
+	0x5a, 0x2e, 0x67, 0x65, 0x74, 0x2e, 0x70, 0x6f, 0x72, 0x74, 0x65, 0x72, 0x2e, 0x73, 0x68, 0x2f,
+	0x70, 0x6f, 0x72, 0x74, 0x65, 0x72, 0x2f, 0x70, 0x6b, 0x67, 0x2f, 0x73, 0x69, 0x67, 0x6e, 0x69,
+	0x6e, 0x67, 0x2f, 0x70, 0x6c, 0x75, 0x67, 0x69, 0x6e, 0x73, 0x2f, 0x70, 0x72, 0x6f, 0x74, 0x6f,
+	0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33,
 }
 
 var (
@@ -228,20 +310,24 @@ func file_signing_protocol_proto_rawDescGZIP() []byte {
 	return file_signing_protocol_proto_rawDescData
 }
 
-var file_signing_protocol_proto_msgTypes = make([]protoimpl.MessageInfo, 4)
+var file_signing_protocol_proto_msgTypes = make([]protoimpl.MessageInfo, 6)
 var file_signing_protocol_proto_goTypes = []interface{}{
-	(*SignRequest)(nil),    // 0: plugins.SignRequest
-	(*VerifyRequest)(nil),  // 1: plugins.VerifyRequest
-	(*SignResponse)(nil),   // 2: plugins.SignResponse
-	(*VerifyResponse)(nil), // 3: plugins.VerifyResponse
+	(*SignRequest)(nil),     // 0: plugins.SignRequest
+	(*VerifyRequest)(nil),   // 1: plugins.VerifyRequest
+	(*ConnectRequest)(nil),  // 2: plugins.ConnectRequest
+	(*SignResponse)(nil),    // 3: plugins.SignResponse
+	(*VerifyResponse)(nil),  // 4: plugins.VerifyResponse
+	(*ConnectResponse)(nil), // 5: plugins.ConnectResponse
 }
 var file_signing_protocol_proto_depIdxs = []int32{
 	0, // 0: plugins.SigningProtocol.Sign:input_type -> plugins.SignRequest
 	1, // 1: plugins.SigningProtocol.Verify:input_type -> plugins.VerifyRequest
-	2, // 2: plugins.SigningProtocol.Sign:output_type -> plugins.SignResponse
-	3, // 3: plugins.SigningProtocol.Verify:output_type -> plugins.VerifyResponse
-	2, // [2:4] is the sub-list for method output_type
-	0, // [0:2] is the sub-list for method input_type
+	2, // 2: plugins.SigningProtocol.Connect:input_type -> plugins.ConnectRequest
+	3, // 3: plugins.SigningProtocol.Sign:output_type -> plugins.SignResponse
+	4, // 4: plugins.SigningProtocol.Verify:output_type -> plugins.VerifyResponse
+	5, // 5: plugins.SigningProtocol.Connect:output_type -> plugins.ConnectResponse
+	3, // [3:6] is the sub-list for method output_type
+	0, // [0:3] is the sub-list for method input_type
 	0, // [0:0] is the sub-list for extension type_name
 	0, // [0:0] is the sub-list for extension extendee
 	0, // [0:0] is the sub-list for field type_name
@@ -278,7 +364,7 @@ func file_signing_protocol_proto_init() {
 			}
 		}
 		file_signing_protocol_proto_msgTypes[2].Exporter = func(v interface{}, i int) interface{} {
-			switch v := v.(*SignResponse); i {
+			switch v := v.(*ConnectRequest); i {
 			case 0:
 				return &v.state
 			case 1:
@@ -290,6 +376,18 @@ func file_signing_protocol_proto_init() {
 			}
 		}
 		file_signing_protocol_proto_msgTypes[3].Exporter = func(v interface{}, i int) interface{} {
+			switch v := v.(*SignResponse); i {
+			case 0:
+				return &v.state
+			case 1:
+				return &v.sizeCache
+			case 2:
+				return &v.unknownFields
+			default:
+				return nil
+			}
+		}
+		file_signing_protocol_proto_msgTypes[4].Exporter = func(v interface{}, i int) interface{} {
 			switch v := v.(*VerifyResponse); i {
 			case 0:
 				return &v.state
@@ -301,6 +399,18 @@ func file_signing_protocol_proto_init() {
 				return nil
 			}
 		}
+		file_signing_protocol_proto_msgTypes[5].Exporter = func(v interface{}, i int) interface{} {
+			switch v := v.(*ConnectResponse); i {
+			case 0:
+				return &v.state
+			case 1:
+				return &v.sizeCache
+			case 2:
+				return &v.unknownFields
+			default:
+				return nil
+			}
+		}
 	}
 	type x struct{}
 	out := protoimpl.TypeBuilder{
@@ -308,7 +418,7 @@ func file_signing_protocol_proto_init() {
 			GoPackagePath: reflect.TypeOf(x{}).PkgPath(),
 			RawDescriptor: file_signing_protocol_proto_rawDesc,
 			NumEnums:      0,
-			NumMessages:   4,
+			NumMessages:   6,
 			NumExtensions: 0,
 			NumServices:   1,
 		},
diff --git a/pkg/signing/plugins/proto/signing_protocol.proto b/pkg/signing/plugins/proto/signing_protocol.proto
index bd6412e5d..cf728cfdb 100644
--- a/pkg/signing/plugins/proto/signing_protocol.proto
+++ b/pkg/signing/plugins/proto/signing_protocol.proto
@@ -11,11 +11,16 @@ message VerifyRequest {
   string Ref = 1;
 }
 
+message ConnectRequest {}
+
 message SignResponse {}
 
 message VerifyResponse {}
 
+message ConnectResponse {}
+
 service SigningProtocol {
   rpc Sign(SignRequest) returns (SignResponse);
   rpc Verify(VerifyRequest) returns (VerifyResponse);
+  rpc Connect(ConnectRequest) returns (ConnectResponse);
 }
\ No newline at end of file
diff --git a/pkg/signing/plugins/proto/signing_protocol_grpc.pb.go b/pkg/signing/plugins/proto/signing_protocol_grpc.pb.go
index 974540951..3d5cb293e 100644
--- a/pkg/signing/plugins/proto/signing_protocol_grpc.pb.go
+++ b/pkg/signing/plugins/proto/signing_protocol_grpc.pb.go
@@ -24,6 +24,7 @@ const _ = grpc.SupportPackageIsVersion7
 type SigningProtocolClient interface {
 	Sign(ctx context.Context, in *SignRequest, opts ...grpc.CallOption) (*SignResponse, error)
 	Verify(ctx context.Context, in *VerifyRequest, opts ...grpc.CallOption) (*VerifyResponse, error)
+	Connect(ctx context.Context, in *ConnectRequest, opts ...grpc.CallOption) (*ConnectResponse, error)
 }
 
 type signingProtocolClient struct {
@@ -52,12 +53,22 @@ func (c *signingProtocolClient) Verify(ctx context.Context, in *VerifyRequest, o
 	return out, nil
 }
 
+func (c *signingProtocolClient) Connect(ctx context.Context, in *ConnectRequest, opts ...grpc.CallOption) (*ConnectResponse, error) {
+	out := new(ConnectResponse)
+	err := c.cc.Invoke(ctx, "/plugins.SigningProtocol/Connect", in, out, opts...)
+	if err != nil {
+		return nil, err
+	}
+	return out, nil
+}
+
 // SigningProtocolServer is the server API for SigningProtocol service.
 // All implementations must embed UnimplementedSigningProtocolServer
 // for forward compatibility
 type SigningProtocolServer interface {
 	Sign(context.Context, *SignRequest) (*SignResponse, error)
 	Verify(context.Context, *VerifyRequest) (*VerifyResponse, error)
+	Connect(context.Context, *ConnectRequest) (*ConnectResponse, error)
 	mustEmbedUnimplementedSigningProtocolServer()
 }
 
@@ -71,6 +82,9 @@ func (UnimplementedSigningProtocolServer) Sign(context.Context, *SignRequest) (*
 func (UnimplementedSigningProtocolServer) Verify(context.Context, *VerifyRequest) (*VerifyResponse, error) {
 	return nil, status.Errorf(codes.Unimplemented, "method Verify not implemented")
 }
+func (UnimplementedSigningProtocolServer) Connect(context.Context, *ConnectRequest) (*ConnectResponse, error) {
+	return nil, status.Errorf(codes.Unimplemented, "method Connect not implemented")
+}
 func (UnimplementedSigningProtocolServer) mustEmbedUnimplementedSigningProtocolServer() {}
 
 // UnsafeSigningProtocolServer may be embedded to opt out of forward compatibility for this service.
@@ -120,6 +134,24 @@ func _SigningProtocol_Verify_Handler(srv interface{}, ctx context.Context, dec f
 	return interceptor(ctx, in, info, handler)
 }
 
+func _SigningProtocol_Connect_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
+	in := new(ConnectRequest)
+	if err := dec(in); err != nil {
+		return nil, err
+	}
+	if interceptor == nil {
+		return srv.(SigningProtocolServer).Connect(ctx, in)
+	}
+	info := &grpc.UnaryServerInfo{
+		Server:     srv,
+		FullMethod: "/plugins.SigningProtocol/Connect",
+	}
+	handler := func(ctx context.Context, req interface{}) (interface{}, error) {
+		return srv.(SigningProtocolServer).Connect(ctx, req.(*ConnectRequest))
+	}
+	return interceptor(ctx, in, info, handler)
+}
+
 // SigningProtocol_ServiceDesc is the grpc.ServiceDesc for SigningProtocol service.
 // It's only intended for direct use with grpc.RegisterService,
 // and not to be introspected or modified (even as a copy)
@@ -135,6 +167,10 @@ var SigningProtocol_ServiceDesc = grpc.ServiceDesc{
 			MethodName: "Verify",
 			Handler:    _SigningProtocol_Verify_Handler,
 		},
+		{
+			MethodName: "Connect",
+			Handler:    _SigningProtocol_Connect_Handler,
+		},
 	},
 	Streams:  []grpc.StreamDesc{},
 	Metadata: "signing_protocol.proto",
diff --git a/pkg/signing/plugins/signing_protocol.go b/pkg/signing/plugins/signing_protocol.go
index e6aeb335e..24e8d29f0 100644
--- a/pkg/signing/plugins/signing_protocol.go
+++ b/pkg/signing/plugins/signing_protocol.go
@@ -5,6 +5,8 @@ import "context"
 // SigningProtocol is the interface that signing plugins must implement.
 // This defines the protocol used to communicate with signing plugins.
 type SigningProtocol interface {
+	Connect(ctx context.Context) error
+
 	// Resolve a secret value from a secret store
 	// - ref is OCI reference to verify
 	Sign(ctx context.Context, ref string) error
diff --git a/pkg/signing/pluginstore/grpc.go b/pkg/signing/pluginstore/grpc.go
index af2dc7f02..34127794f 100644
--- a/pkg/signing/pluginstore/grpc.go
+++ b/pkg/signing/pluginstore/grpc.go
@@ -39,6 +39,12 @@ func (m *GClient) Verify(ctx context.Context, ref string) error {
 	return err
 }
 
+func (m *GClient) Connect(ctx context.Context) error {
+	req := &proto.ConnectRequest{}
+	_, err := m.client.Connect(ctx, req)
+	return err
+}
+
 // GServer is a gRPC wrapper around a SecretsProtocol plugin
 type GServer struct {
 	c    *portercontext.Context
@@ -65,3 +71,11 @@ func (m *GServer) Verify(ctx context.Context, request *proto.VerifyRequest) (*pr
 	}
 	return &proto.VerifyResponse{}, nil
 }
+
+func (m *GServer) Connect(ctx context.Context, request *proto.ConnectRequest) (*proto.ConnectResponse, error) {
+	err := m.impl.Connect(ctx)
+	if err != nil {
+		return nil, err
+	}
+	return &proto.ConnectResponse{}, nil
+}
diff --git a/pkg/signing/pluginstore/signer.go b/pkg/signing/pluginstore/signer.go
index 390370c59..e564fcb2d 100644
--- a/pkg/signing/pluginstore/signer.go
+++ b/pkg/signing/pluginstore/signer.go
@@ -109,6 +109,10 @@ func (s *Signer) Connect(ctx context.Context) error {
 	}
 	s.plugin = store
 
+	if err = s.plugin.Connect(ctx); err != nil {
+		return err
+	}
+
 	return nil
 }
 
diff --git a/pkg/signing/signer.go b/pkg/signing/signer.go
index a4b50e6bf..d4cc42792 100644
--- a/pkg/signing/signer.go
+++ b/pkg/signing/signer.go
@@ -13,4 +13,6 @@ type Signer interface {
 	// Verify attempts to verify a signature for the specified
 	// reference, which can be a Porter bundle or an invocation image.
 	Verify(ctx context.Context, ref string) error
+	// TODO
+	Connect(ctx context.Context) error
 }