Project

Profile

Help

Story #9511

Story #9502: [EPIC] Contrainer Signing and Verification

As a user I can publish container signature to the server

Added by ipanova@redhat.com 13 days ago. Updated 1 day ago.

Status:
NEW
Priority:
Normal
Assignee:
-
Sprint/Milestone:
-
Start date:
Due date:
% Done:

0%

Estimated time:
Platform Release:
Groomed:
No
Sprint Candidate:
No
Tags:
Sprint:
Quarter:

Description

To add a single signature, PUT a new json object with version set to 2( manifest schema version) , type set to atomic, and content set to the base64 encoded signature data (usually a GPG signed data). Name should be set to an unique name with the form digest@per-image-name, where digest is an image manifest digest (also used in the URL), and per-image-name is any unique identifier.

$ curl -X PUT --data @signature.json http://<registry_endpoint>:24817/extensions/v2/<namespace>/<name>/signatures/<imagesha256digest>

cat signature.json

{
    "version": 2,
    "type":    "atomic",
    "name":    "sha256:4028782c08eae4a8c9a28bf661c0a8d1c2fc8e19dbaae2b018b21011197e1484@cddeb7006d914716e2728000746a0b23",
    "content": "<base64 encoded signature>",
  }

See https://github.com/openshift/openshift-docs/pull/3556/files and https://docs.openshift.com/container-platform/3.10/admin_guide/image_signatures.html#writing-image-signatures-using-registry-api

Note skopeo will upload signature given that regitry has present X-Registry-Supports-Signatures header https://github.com/mtrmac/image/commit/6c17ca34793b19accc3d278fc93ce68e9943fcb4

History

#1 Updated by ipanova@redhat.com 13 days ago

  • Description updated (diff)

#2 Updated by ipanova@redhat.com 13 days ago

  • Description updated (diff)

#3 Updated by ipanova@redhat.com 7 days ago

  • Description updated (diff)

#4 Updated by ipanova@redhat.com 1 day ago

  • Description updated (diff)

Please register to edit this issue

Also available in: Atom PDF