Story #9507
closedStory #9502: [EPIC] Contrainer Signing and Verification
As a user I can sync container image with its original signature
0%
Description
Ticket moved to GitHub: "pulp/pulp_container/498":https://github.com/pulp/pulp_container/issues/498
Synced signatures are not verified. Signature verification is offloaded to the client.
If with-signature=True
( TBD agree on naming) was specified only those images that have signature with be mirrored. Rest of the images will be skipped. Signature server location
needs to be specified ( it's the webserver location of signatures, for example https://registry.redhat.io/containers/sigstore).
Otherwise it will be assumed that the signature is stored on the remote registry in a form of manifest or a separate object:
- If it is a separate object, signature API extensions should be available on the registry and
X-Registry-Supports-Signatures
header will identify that https://github.com/containers/image/blob/main/docs/signature-protocols.md#openshift-dockerdistribution-api-extension - If it is stored in a form of a manifest then it most likely was signed with cosign https://github.com/SigStore/cosign#signing-subjects. we will not support this for now
Q: does podman/skopeo support verification of cosign signature type? Only atomic type for now https://github.com/containers/image/blob/main/docs/containers-signature.5.md#criticaltype
Q: how this will work with mirror=True?
Updated by ttereshc about 3 years ago
- Subject changed from As a user I can mirror container image with its original signature to As a user I can sync container image with its original signature
- Description updated (diff)
Updated by ttereshc about 3 years ago
- Status changed from NEW to ASSIGNED
- Assignee set to ttereshc
- Sprint set to Sprint 110
Updated by pulpbot about 3 years ago
- Status changed from ASSIGNED to POST
Updated by pulpbot about 3 years ago
Added by ttereshc about 3 years ago
Added by ttereshc about 3 years ago
Revision aac67ec8 | View on GitHub
Add ManifestSignature model and related serializer/filter/viewset.
Updated by rchan about 3 years ago
- Sprint changed from Sprint 110 to Sprint 111
Added by ttereshc about 3 years ago
Revision c381bbe0 | View on GitHub
Add ManifestSignature model and related serializer/filter/viewset.
Added by ttereshc about 3 years ago
Revision c381bbe0 | View on GitHub
Add ManifestSignature model and related serializer/filter/viewset.
Updated by pulpbot about 3 years ago
- Description updated (diff)
- Status changed from POST to CLOSED - DUPLICATE
Add ManifestSignature model and related serializer/filter/viewset.
re #9507 https://pulp.plan.io/issues/9507