Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat: Add trust command to update policy.json #131

Open
gmpinder opened this issue Mar 21, 2024 · 3 comments
Open

feat: Add trust command to update policy.json #131

gmpinder opened this issue Mar 21, 2024 · 3 comments
Assignees
Labels
state: pending Pending requirements, dependencies, data, or more information. type: feature Brand new functionality, features, pages, workflows, endpoints, etc. type: security Something is vulnerable or not secure.
Milestone

Comments

@gmpinder
Copy link
Member

Currently we require users to rebase to an unsigned image before rebasing yet again to the same image as signed. This limitation is due to the fact that we need the cosign public key and an updated policy.json in order to properly trust the image which would only exist in the image. Now that we have a CLI tool that is installed in all images created by it, we have the ability to pull that information and update the user's policy.json as needed.

Information for the source of the image is stored in the label org.opencontainers.image.source. We can use that information to get the cosign.pub file and use that to verify. After we verify the image, we can then update the policy.json and store the public key somewhere. I'm thinking /etc/pki/containers and set the filename to a hash of the file to keep uniqueness.

@gmpinder gmpinder added type: feature Brand new functionality, features, pages, workflows, endpoints, etc. type: security Something is vulnerable or not secure. state: pending Pending requirements, dependencies, data, or more information. labels Mar 21, 2024
@gmpinder gmpinder added this to the v0.9.0 milestone Mar 21, 2024
@gmpinder gmpinder self-assigned this Mar 21, 2024
@xynydev
Copy link
Member

xynydev commented Mar 23, 2024

Can we guarantee that the cosign.pub will exist at a specific place in the repo, or is there a label we could add that would point directly to it?

@gmpinder
Copy link
Member Author

Can we guarantee that the cosign.pub will exist at a specific place in the repo, or is there a label we could add that would point directly to it?

I was planning on assuming that it would be in the root of the project, but adding a label or looking for an existing standard would help.

@xynydev
Copy link
Member

xynydev commented Mar 23, 2024

There doesn't seem to be a standard. https://github.com/opencontainers/image-spec/blob/main/annotations.md#pre-defined-annotation-keys

Keep in mind that the key fetching from the source repo would have to happen directly through git to support other forges than GitHub.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
state: pending Pending requirements, dependencies, data, or more information. type: feature Brand new functionality, features, pages, workflows, endpoints, etc. type: security Something is vulnerable or not secure.
Projects
None yet
Development

No branches or pull requests

2 participants