You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
In cosign dockerfile verify, verification options like --certificate and --certificate-oidc-issuer are passed as command-line arguments.
This leaves the user burdened with mapping certificate criteria to images externally, and for multi-stage builds invoking cosign verify dockerfile multiple times.
I propose allowing the options.CertVerifyOptions to be encoded within comments of the Dockerfile:
The implementation would parse any comments preceding a FROM statement and support the same options as the CLI, expressed as key-value pairs. Values specified at the command line would overwrite those derived from comments.
Naively the VerifyDockerfileCommand could invoke the embedded VerifyCommand multiple times with each unique options.CertVerifyOptions discovered. Grouping by unique options would mean users not using the comments are unaffected.
Does anyone else want this?
Does it belong in cosign, or should it be a separate tool?
Description
In
cosign dockerfile verify
, verification options like--certificate
and--certificate-oidc-issuer
are passed as command-line arguments.This leaves the user burdened with mapping certificate criteria to images externally, and for multi-stage builds invoking
cosign verify dockerfile
multiple times.I propose allowing the
options.CertVerifyOptions
to be encoded within comments of the Dockerfile:The implementation would parse any comments preceding a
FROM
statement and support the same options as the CLI, expressed as key-value pairs. Values specified at the command line would overwrite those derived from comments.Naively the
VerifyDockerfileCommand
could invoke the embeddedVerifyCommand
multiple times with each uniqueoptions.CertVerifyOptions
discovered. Grouping by unique options would mean users not using the comments are unaffected.Does anyone else want this?
Does it belong in
cosign
, or should it be a separate tool?Related
certificate-github-workflow-repository
andcertificate-github-workflow-name
😍 )The text was updated successfully, but these errors were encountered: