Project

Profile

Help

Story #9507

Story #9502: [EPIC] Contrainer Signing and Verification

As a user I can mirror container image with its original signature

Added by ipanova@redhat.com 13 days ago. Updated 1 day ago.

Status:
NEW
Priority:
Normal
Assignee:
-
Sprint/Milestone:
-
Start date:
Due date:
% Done:

0%

Estimated time:
Platform Release:
Groomed:
No
Sprint Candidate:
No
Tags:
Sprint:
Quarter:

Description

Mirrored signatures are not verified. Signature verification is offloaded to the client.

If with-signature=True ( TBD agree on naming) was specified only those images that have signature with be mirrored. Rest of the images will be skipped. Signature server location needs to be specified ( it's the webserver location of signatures, for example https://registry.redhat.io/containers/sigstore). Otherwise it will be assumed that the signature is stored on the remote registry in a form of manifest or a separate object:

Q: does podman/skopeo support verification of cosign signature type? Only atomic type for now https://github.com/containers/image/blob/main/docs/containers-signature.5.md#criticaltype

Q: how this will work with mirror=True?

History

#1 Updated by ipanova@redhat.com 13 days ago

  • Description updated (diff)

#2 Updated by ipanova@redhat.com 7 days ago

  • Description updated (diff)

#3 Updated by ipanova@redhat.com 7 days ago

  • Description updated (diff)

#4 Updated by ipanova@redhat.com 7 days ago

  • Description updated (diff)

#5 Updated by ipanova@redhat.com 7 days ago

  • Description updated (diff)

#6 Updated by ipanova@redhat.com 7 days ago

  • Description updated (diff)

#7 Updated by ipanova@redhat.com 7 days ago

  • Description updated (diff)

#8 Updated by ipanova@redhat.com 1 day ago

  • Description updated (diff)

Please register to edit this issue

Also available in: Atom PDF