-
Notifications
You must be signed in to change notification settings - Fork 380
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Request for Sigstore signature verification enhancement and flexibility in cosign verify. #2027
Comments
Thanks for reaching out. We are, for the foreseeable future, very unlikely to include all of cosign features (that would essentially require including much of cosign codebase, and c/image is used in size-constrained tools like Podman). Individual features can be added (and I expect more Fulcio-matching features in particular), but that would probably be on a feature-by-feature basis, if they are necessary and supportable. As some random few comments
|
It sounds like this request needs to be broken down into specific, individual feature requests that can be evaluated and implemented:
@zhaoyonghe @dmitris Did I miss any? @mtrmac Would it be useful to file these as separate issues? |
Thanks @lkatalin for bringing up this issue again. We use
We use Athenz and Crypki (OIDC provider and CA infra already existed in our company) and the sigstore timestamp authority to match this grocery list. Our blog provides more details on our sigstore infra and cosign verify usage. In general, it would be great to support the equivalent check as:
These five flags are essential from our perspective and can be separate requests! |
It is a fairly strongly-held design decision of c/image that all verification configuration is set up in I am also still pretty skeptical about regexes, because they encourage imprecise identities. Compare the detailed design discussion and concerns in #2235 .
Same here; that should be in
Again, not a CLI option. Supporting a timestamp authority instead of Rekor does seem quite valuable to me, I don’t think most users actually benefit from the complexity of Rekor.
A root of trust belongs in
There seems to be a shared theme around
(Added to my reading list, but I didn’t read it yet; it’s possible that resolves some of my concerns.) |
#2432 is working on supporting non-Fulcio PKIs. |
My mistake, #2579 is where the work has started. |
@mtrmac one related question, in the spirit of "where the pack is going" 😄: the |
Currently c/image doesn’t have the ambition to support all options that exist in Conversely, the Also c/image has a strong opinion that the signed image identity critically matters, unlike cosign — so the two tools would, often enough, not evaluate “the same” policy the same way. It would be possible to add a |
Currently, we are able to verify container images with sigstore signatures using public key/Fulcio/Rekor, as described here. However, there are additional verifications supported by cosign, such as verifying signatures using non-Fulcio roots, as demonstrated in this pull request.
An example of the cosign command for verifying signatures using non-Fulcio roots is:
Is it possible to add support for this functionality? Moreover, could we take a step further and match fields in /etc/containers/policy.json with the cosign verify parameters to enable the execution of all forms of cosign verify?
/cc @mtrmac
Thank you for your attention to this matter.
The text was updated successfully, but these errors were encountered: