Story #9509
closed
Story #9502: [EPIC] Contrainer Signing and Verification
As a user I can sign container image by providing signing policy config
0%
Description
Ticket moved to GitHub: "pulp/pulp_container/500":https://github.com/pulp/pulp_container/issues/500
As a result signature will be created and saved into the Pulp Container Registry Sigstore
It should be possible to sign whole repo, list of images or a specific image only.
See https://github.com/containers/skopeo/blob/main/docs/skopeo-standalone-sign.1.md and https://github.com/containers/image/blob/main/docs/containers-signature.5.md#json-data-format
Updated by ipanova@redhat.com about 3 years ago
- Subject changed from As a user I can sign container image by providing signgin policy config to As a user I can sign container image by providing signing policy config
- Description updated (diff)
Updated by lmjachky about 3 years ago
The standalone-sign option can be called within the script referenced by a signing service (the docs for users: https://docs.pulpproject.org/pulpcore/workflows/signed-metadata.html; the docs for plugin writers: https://docs.pulpproject.org/pulpcore/plugins/reference/metadata-signing.html).
Users will then write their own signing scripts, respecting our interface (where we define how should the signing script behave - what files should it generate and so on). The interface may be enforced by inheriting from the SigningService model and implementing custom validation/verification methods. We have already done this for AsciiArmoredDetachedSigningService (github).
In the pulp_container backend, we will call the sign method of a customized signing service that executes the signing script and then we will eventually proceed further with publishing the created signatures. For instance, this is how we are using the signing service in pulp_rpm: github. And this is a script that is used for metadata signing in pulp_rpm: docs
Updated by ipanova@redhat.com about 3 years ago
- Status changed from NEW to ASSIGNED
- Assignee set to ipanova@redhat.com
Updated by pulpbot about 3 years ago
- Description updated (diff)
- Status changed from ASSIGNED to CLOSED - DUPLICATE
.