Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Think about signing the built container images #2

Open
zmiklank opened this issue Feb 23, 2022 · 3 comments
Open

Think about signing the built container images #2

zmiklank opened this issue Feb 23, 2022 · 3 comments
Assignees
@zmiklank

Comments

@zmiklank
Copy link
Member

Investigate, if sigstore can be used for signing the images and if the idea makes sense.
@zmiklank zmiklank self-assigned this Feb 23, 2022
@zmiklank
Copy link
Member Author

zmiklank commented Mar 8, 2022

The signature can be created with GitHub Action and then stored in the container registry.
Quay already supports the sigstore, as it is based on OCI, however only from version 3.6 and quay.io yet wasn't upgraded to this version (but will be).
When the quay.io supports the sigstore we could sign our containers, and ship them signed.
The authentication of the signer is done via the OpenID connect

@phracek
Copy link
Member

phracek commented Apr 29, 2022
edited

@vrothberg is working on a project with signing containers. We can be a pioneers :) https://github.com/sigstore/cosign

@vrothberg
Copy link

Thanks for the ping. Yes, we are working on integrating sigstore/cosign support into the container tools (Skopeo, Podman, Buildah).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@zmiklank zmiklank

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@phracek @vrothberg @zmiklank