Project

Profile

Help

Story #9509

closed

Story #9502: [EPIC] Contrainer Signing and Verification

As a user I can sign container image by providing signing policy config

Added by ipanova@redhat.com almost 3 years ago. Updated over 2 years ago.

Status:
CLOSED - DUPLICATE
Priority:
Normal
Sprint/Milestone:
-
Start date:
Due date:
% Done:

0%

Estimated time:
Platform Release:
Groomed:
No
Sprint Candidate:
No
Tags:
Sprint:
Sprint 111
Quarter:

Description

Ticket moved to GitHub: "pulp/pulp_container/500":https://github.com/pulp/pulp_container/issues/500


As a result signature will be created and saved into the Pulp Container Registry Sigstore

It should be possible to sign whole repo, list of images or a specific image only.

See https://github.com/containers/skopeo/blob/main/docs/skopeo-standalone-sign.1.md and https://github.com/containers/image/blob/main/docs/containers-signature.5.md#json-data-format

Actions #1

Updated by ipanova@redhat.com almost 3 years ago

  • Subject changed from As a user I can sign container image by providing signgin policy config to As a user I can sign container image by providing signing policy config
  • Description updated (diff)
Actions #2

Updated by ipanova@redhat.com almost 3 years ago

  • Description updated (diff)
Actions #3

Updated by ipanova@redhat.com almost 3 years ago

  • Description updated (diff)
Actions #4

Updated by lmjachky over 2 years ago

The standalone-sign option can be called within the script referenced by a signing service (the docs for users: https://docs.pulpproject.org/pulpcore/workflows/signed-metadata.html; the docs for plugin writers: https://docs.pulpproject.org/pulpcore/plugins/reference/metadata-signing.html).

Users will then write their own signing scripts, respecting our interface (where we define how should the signing script behave - what files should it generate and so on). The interface may be enforced by inheriting from the SigningService model and implementing custom validation/verification methods. We have already done this for AsciiArmoredDetachedSigningService (github).

In the pulp_container backend, we will call the sign method of a customized signing service that executes the signing script and then we will eventually proceed further with publishing the created signatures. For instance, this is how we are using the signing service in pulp_rpm: github. And this is a script that is used for metadata signing in pulp_rpm: docs

Actions #5

Updated by ipanova@redhat.com over 2 years ago

  • Status changed from NEW to ASSIGNED
  • Assignee set to ipanova@redhat.com
Actions #6

Updated by ipanova@redhat.com over 2 years ago

  • Sprint set to Sprint 111
Actions #7

Updated by pulpbot over 2 years ago

  • Description updated (diff)
  • Status changed from ASSIGNED to CLOSED - DUPLICATE

Also available in: Atom PDF