Project

Profile

Help

Story #9509

Story #9502: [EPIC] Contrainer Signing and Verification

As a user I can sign container image by providing signing policy config

Added by ipanova@redhat.com 13 days ago. Updated about 10 hours ago.

Status:
NEW
Priority:
Normal
Assignee:
-
Sprint/Milestone:
-
Start date:
Due date:
% Done:

0%

Estimated time:
Platform Release:
Groomed:
No
Sprint Candidate:
No
Tags:
Sprint:
Quarter:

Description

As a result signature will be created and saved into the Pulp Container Registry Sigstore

It should be possible to sign whole repo, list of images or a specific image only.

See https://github.com/containers/skopeo/blob/main/docs/skopeo-standalone-sign.1.md and https://github.com/containers/image/blob/main/docs/containers-signature.5.md#json-data-format

History

#1 Updated by ipanova@redhat.com 13 days ago

  • Subject changed from As a user I can sign container image by providing signgin policy config to As a user I can sign container image by providing signing policy config
  • Description updated (diff)

#2 Updated by ipanova@redhat.com 7 days ago

  • Description updated (diff)

#3 Updated by ipanova@redhat.com 7 days ago

  • Description updated (diff)

#4 Updated by lmjachky about 10 hours ago

The standalone-sign option can be called within the script referenced by a signing service (the docs for users: https://docs.pulpproject.org/pulpcore/workflows/signed-metadata.html; the docs for plugin writers: https://docs.pulpproject.org/pulpcore/plugins/reference/metadata-signing.html).

Users will then write their own signing scripts, respecting our interface (where we define how should the signing script behave - what files should it generate and so on). The interface may be enforced by inheriting from the SigningService model and implementing custom validation/verification methods. We have already done this for AsciiArmoredDetachedSigningService (github).

In the pulp_container backend, we will call the sign method of a customized signing service that executes the signing script and then we will eventually proceed further with publishing the created signatures. For instance, this is how we are using the signing service in pulp_rpm: github. And this is a script that is used for metadata signing in pulp_rpm: docs

Please register to edit this issue

Also available in: Atom PDF