Open xynydev opened 8 months ago
gmpinder
commented
8 months ago gmpinder
commented
8 months ago Lowercase registry is being fixed here: https://github.com/blue-build/cli/pull/8
xynydev
commented
8 months ago Should the image verification be implemented here with EyeCantCU's action (easy), or in cli?
gmpinder
commented
8 months ago Should the image verification be implemented here with EyeCantCU's action (easy), or in cli?
If it just involves inspecting it for a label, we can totally do that in the tool. Plus I'll need that to make sure we're using the right version number on the image instead of latest
qoijjj
commented
8 months ago FYI, not only is base image verification needed but also custom base image verification, if using EyeCantCU's action:
- name: Verify base image
if: ${{ ! contains(env.IMAGE_NAME, 'wayblue') }}
uses: EyeCantCU/cosign-action/verify@v0.2.2
with:
containers: ${{ env.BASE_IMAGE_NAME }}:${{ env.IMAGE_MAJOR_VERSION }}
- name: Verify base image
if: ${{ contains(env.IMAGE_NAME, 'wayblue') }}
uses: EyeCantCU/cosign-action/verify@v0.2.2
with:
containers: ${{ env.BASE_IMAGE_NAME }}:${{ env.IMAGE_MAJOR_VERSION }}
registry: 'ghcr.io/wayblueorg'
pubkey: 'https://raw.githubusercontent.com/wayblueorg/wayblue/live/cosign.pub'Regardless, the registry and pubkey need to be available as parameters.
xynydev
commented
8 months ago I could implement this based on EyeCantCU's PR on startingpoint first, since this isn't a priority to implement in cli.
xynydev
commented
7 months ago We should probably have a list of keys to verify against by default, at least ublue and upstream fedora and vanilla (if those use cosign, haven't checked yet). I'm also unsure how to handle OIDC here.
Are these things, that are in the the startingpoint action, missing from here, or are they implemented in blue-build/cli (@gmpinder) ?