Open ahmet2mir opened 3 years ago
This would be another use case for https://github.com/sigstore/cosign/issues/666
I too want kaniko
to support verifying FROM
images, but another take on this would be: https://github.com/sigstore/cosign/issues/648
If a workflow could verify and resolve a Dockerfile, then what's handed to kaniko
is by digest and pre-verified.
I opened the issue Jason linked based on discussion that ensued around similar aims in ko
: https://github.com/google/ko/pull/436
So big +1 from me, and I'd be happy to discuss more stuff in this vein.
Hello,
We use kaniko and cosign to build/sign our images and I see that Kaniko uses cosign too.
Also cosign is not "integrated" in Kaniko, you use it separatly in your CI.
As kaniko doesn't embed cosign, it will be very helpful if we could, at least, "dump" a kind of depedency images graph with a depth size?
So then we could run
cosign verify
easily to ensure that base images are also signed?From security perspective it will ensure that we don't build a production image based on hijacked image. It's impossible to guarentee that an image wasn't overrided on registries. At least with the signature we could verify it and set annotation on signatures to "trace" the build (like pipelines id, git sha etc)
Let me know if i'm not clear.
Thanks!