Sign released images with sigstore/cosign #1267
Labels
priority: p2
Moderately-important priority. Fix may not be included in next release.
type: feature request
‘Nice-to-have’ improvement, new feature or different behavior or design.
Feature Description
Start to sign the published OCI images using a documented identity.
It looks like you are using Google Cloud Build to publish your images, which @dlorenc added support for to get the
distroless
images signed, e.g.https://github.com/GoogleContainerTools/distroless/blob/db2d69aa294c7ff414ae12c6ffe578254745a4ca/cloudbuild.yaml#L75
Currently, we inject these sidecars alongside a few of our images, and we'd love to be able to author policies stating that the images we pull down must be signed by your release process, e.g.
[email protected]
Alternatives Considered
N/A
Additional Context
If you use Github actions for your releases this is even easier, and I could probably just send a PR, but either way an admin will have to do a bit of IAM setup to support this.
The text was updated successfully, but these errors were encountered: