You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
For this proposal, we basically continue using the same trust model with our keys: we have a physical YubiKey that can be used for signing; We use it with cosign to attach the signature to the ghcr.
We then can verify on the clients that this key has been used to sign the new container images. It offers a way to ensure that the signed container image has been vouched by some identity trusted by the original package authors.
Compared to a more "traditional" way of signing (where one part signs and the other verifies), cosign signatures are also logged to a trusted transparency log.
The verification procedure ensures that a proof of inclusion in the transparency log is here.
Signatures are applied locally with a private key stored in a YubiKey. The signature is applied and published following the signature specification (link).
Note
Keyless signing
This proposed way of signing actually differs from what sigstore names "Keyless Signing". We might want to introduce keyless signing in the future, see the "future work" section for more information.
The text was updated successfully, but these errors were encountered:
For this proposal, we basically continue using the same trust model with our keys: we have a physical YubiKey that can be used for signing; We use it with cosign to attach the signature to the ghcr.
We then can verify on the clients that this key has been used to sign the new container images. It offers a way to ensure that the signed container image has been vouched by some identity trusted by the original package authors.
Compared to a more "traditional" way of signing (where one part signs and the other verifies), cosign signatures are also logged to a trusted transparency log.
The verification procedure ensures that a proof of inclusion in the transparency log is here.
Signatures are applied locally with a private key stored in a YubiKey. The signature is applied and published following the signature specification (link).
Note
Keyless signing
This proposed way of signing actually differs from what sigstore names "Keyless Signing". We might want to introduce keyless signing in the future, see the "future work" section for more information.
The text was updated successfully, but these errors were encountered: