Story #9502: [EPIC] Contrainer Signing and Verification
As a user I can sign container image by providing signing policy config
Ticket moved to GitHub: "pulp/pulp_container/500":https://github.com/pulp/pulp_container/issues/500
As a result signature will be created and saved into the Pulp Container Registry Sigstore
It should be possible to sign whole repo, list of images or a specific image only.
Updated by lmjachky about 2 years ago
standalone-sign option can be called within the script referenced by a signing service (the docs for users: https://docs.pulpproject.org/pulpcore/workflows/signed-metadata.html; the docs for plugin writers: https://docs.pulpproject.org/pulpcore/plugins/reference/metadata-signing.html).
Users will then write their own signing scripts, respecting our interface (where we define how should the signing script behave - what files should it generate and so on). The interface may be enforced by inheriting from the
SigningService model and implementing custom validation/verification methods. We have already done this for
In the pulp_container backend, we will call the
sign method of a customized signing service that executes the signing script and then we will eventually proceed further with publishing the created signatures. For instance, this is how we are using the signing service in pulp_rpm: github. And this is a script that is used for metadata signing in pulp_rpm: docs