-
Notifications
You must be signed in to change notification settings - Fork 0
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Implement signing #25
Comments
Checked Annotation Rules. I see no issue with using annotations for storing signed object* and signature. *signed object: the string that contains target digest + metadata |
I could not find consensus in the oci-spec repository on signing, could not find a clear favourite that will emerge in the next time. We may consider also using https://github.com/notaryproject/notary, but for now we do not plan to use this. |
TODO: need to input version as this should be part also of string that should be signed |
TODO: we also need to add verification of signatures before we edit add a manifest. For example, if we attach a layer, we need to make sure that the old signature of the manifest entry was valid. Otherwise, we would make something that was invalid before valid without directly checking it. e.g.:
EDIT: done ✅ |
TODO: we also need to add verification of digests. The signed-data contains a digest, which is a sha256 hash of the respective blob (if layer) or json (if manifest). If the blob or manifest is modified, the digests also changes in the registry. gl-oci should also verify digest where possible, but in theory it should not be required, because the oct-registry would not allow to host mismatching digests, with the potential implementation dependent exception of entries in the oci-index. Therefore we just make sure to verify digests wherever we use the digest. EDIT: done ✅ |
TODO: verification of signatures fails |
Requirements
Thanks @nkraetzschmar
Integration into Pipelines
The text was updated successfully, but these errors were encountered: