Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Sign container images #1036

Open
almet opened this issue Dec 17, 2024 · 0 comments
Open

Sign container images #1036

almet opened this issue Dec 17, 2024 · 0 comments
Labels
icu Issues related with independent container updates
Milestone

Comments

@almet
Copy link
Contributor

almet commented Dec 17, 2024

For this proposal, we basically continue using the same trust model with our keys: we have a physical YubiKey that can be used for signing; We use it with cosign to attach the signature to the ghcr.

We then can verify on the clients that this key has been used to sign the new container images. It offers a way to ensure that the signed container image has been vouched by some identity trusted by the original package authors.

Compared to a more "traditional" way of signing (where one part signs and the other verifies), cosign signatures are also logged to a trusted transparency log.
The verification procedure ensures that a proof of inclusion in the transparency log is here.

Signatures are applied locally with a private key stored in a YubiKey. The signature is applied and published following the signature specification (link).

Note

Keyless signing

This proposed way of signing actually differs from what sigstore names "Keyless Signing". We might want to introduce keyless signing in the future, see the "future work" section for more information.

@almet almet added this to the 0.9.0 milestone Dec 17, 2024
@apyrgio apyrgio added the icu Issues related with independent container updates label Dec 19, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
icu Issues related with independent container updates
Projects
Status: Todo
Development

No branches or pull requests

2 participants