Project

Profile

Help

Story #9512

closed

Story #9502: [EPIC] Contrainer Signing and Verification

As a user, I have signatures removed with the image removal

Added by ipanova@redhat.com over 2 years ago. Updated over 2 years ago.

Status:
CLOSED - DUPLICATE
Priority:
Normal
Assignee:
-
Sprint/Milestone:
-
Start date:
Due date:
% Done:

0%

Estimated time:
Platform Release:
Groomed:
No
Sprint Candidate:
No
Tags:
Sprint:
Quarter:

Description

Ticket moved to GitHub: "pulp/pulp_container/503":https://github.com/pulp/pulp_container/issues/503


Container signature has a specific path structure base/namespaces/name@digest-algo=digest-value/signature-index

Example of the URL the client calls during signature verification process GET https://registry.redhat.io/containers/sigstore/ubi8/ubi-micro@sha256=43520d9634eaaa007a697be79eb604fcbfd348afe5e620c1407629bf20ced542/signature-1

Within the URL, index is a decimal integer (in the canonical form), starting with 1. Signatures are stored at URLs with successive index values; to read all of them, clients start with index=1, and continue reading signatures and increasing index as long as signatures with these index values exist.

Similarly, to add one more signatures to an image, one would need find the first index which does not exist, and then store the new signature using that index value.

For these reasons, it is not advised to provide a DELETE API, and the only way a signature would be removed from the sigstore would be with the image removal itself.

This is no longer true since we're adding signature api extentions. We'd still not allow signature removal api. The only way a signature would be removed from the registry would be with the image removal itself.

More info on the signature protocols https://github.com/containers/image/blob/main/docs/signature-protocols.md

Actions #1

Updated by ipanova@redhat.com over 2 years ago

  • Description updated (diff)
Actions #2

Updated by ipanova@redhat.com over 2 years ago

  • Subject changed from As a user I can delete container signature from the server to As a user, I have signatures removed with the image removal
  • Description updated (diff)
Actions #3

Updated by pulpbot over 2 years ago

  • Description updated (diff)
  • Status changed from NEW to CLOSED - DUPLICATE

Also available in: Atom PDF