-
Notifications
You must be signed in to change notification settings - Fork 144
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Validate cosign signatures if included in images
#2257
Comments
Want to call out this is more than just "confidence they will work correctly" in the broad sense, but also confidence the image is what I expected (i.e. isn't some maliciously published image, it was published by the build system I expected). There's some valuable supply chain considerations there.
While I think this is a good qualifier for a first pass, it would honestly be great if there were also a way to opt-in to signature validation even if I don't put signatures in
Worth noting that there are a number of different validation paths with cosign - you may need to pass in a key, skip the tlog, or it might just work (keyless signatures?). Would likely mean we need an additional "config block"/args to specify some of those options, and potentially allow it per registry/repo/image. |
Is your feature request related to a problem? Please describe.
As Ezra I want to validate cosign signatures on
zarf package create
so that I can have confidence that they will work correctly before the package goes to the air gap.Describe the solution you'd like
images
Describe alternatives you've considered
We could have a separate process for this (and this will slow down
create
) but since it will only run when cosign signatures are defined it should be a fine tradeoff since people can opt into the slowdown if they need / want to and if they do it will save them time in the long run since it would be costly to bring an invalid package to the airgap.Additional context
#475
The text was updated successfully, but these errors were encountered: