Story #9511
closed
Story #9502: [EPIC] Contrainer Signing and Verification
As a user I can publish container signature to the server
0%
Description
Ticket moved to GitHub: "pulp/pulp_container/502":https://github.com/pulp/pulp_container/issues/502
To add a single signature, PUT a new json object with version set to 2( manifest schema version) , type set to atomic, and content set to the base64 encoded signature data (usually a GPG signed data).
Name should be set to an unique name with the form digest@per-image-name, where digest is an image manifest digest (also used in the URL), and per-image-name is any unique identifier.
$ curl -X PUT --data @signature.json http://<registry_endpoint>:24817/extensions/v2/<namespace>/<name>/signatures/<imagesha256digest>
cat signature.json
{
"version": 2,
"type": "atomic",
"name": "sha256:4028782c08eae4a8c9a28bf661c0a8d1c2fc8e19dbaae2b018b21011197e1484@cddeb7006d914716e2728000746a0b23",
"content": "<base64 encoded signature>",
}
See https://github.com/openshift/openshift-docs/pull/3556/files and https://docs.openshift.com/container-platform/3.10/admin_guide/image_signatures.html#writing-image-signatures-using-registry-api
Note skopeo will upload signature given that regitry has present X-Registry-Supports-Signatures header https://github.com/mtrmac/image/commit/6c17ca34793b19accc3d278fc93ce68e9943fcb4
.