-
-
Notifications
You must be signed in to change notification settings - Fork 24
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add support for image verification through cosign #261
Comments
+1 On atomic Fedora ( {
"transports": {
"docker": {
"ghcr.io/xynydev/linuxyz": [
{
"type": "sigstoreSigned",
"keyPath": "/usr/etc/pki/containers/linuxyz.pub",
"signedIdentity": {
"type": "matchRepository"
}
}
]
}
}
} This process can be easily scripted, the image maker just has to provide the cosign keys in a standard location. |
Btw, what do you think about keyless signing in cosign, is it something we could explore to eliminate the need for public/private keys? |
We've looked into OIDC keyless signing with BlueBuild but the upstream support for it is not quite there yet AFAIK, and |
It would probably be easier to stick with key based signing instead of implementing a (possibly insecure) verification method manually |
We currently make no efforts to verify the downloaded images, this is very insecure and can be a huge downside in enterprise applications.
There are multiple solutions to signing the images, but the easiest would be to simply use cosign as it is made for the purpose of signing and verifying oci images. It's also written in go so it would be even easier for us to integrate it with abroot and vib.
The text was updated successfully, but these errors were encountered: