Open phantooom opened 4 years ago
This probably requires further investigation on our part. See related conversation here: https://github.com/buildpacks/lifecycle/issues/180
Hi @phantooom , I was looking into this a bit more, and I'd like to understand the use case. Were you looking to sign an image through pack? Were you looking to only consume signed images through pack?
Hello again @phantooom, do you still have a use case that requires digital signatures? Can you elaborate more on your specific use case?
This hopefully will be started through https://github.com/buildpacks/docs/issues/203 (signing issues post use of pack
) and https://github.com/notaryproject/nv2/issues/19 (signing images/restricting to signed images in the use of CNBs
I'm working on a project to help out with image signing and would love to make it work well with buildpacks. You can check out the docs here: github.com/sigstore/cosign
I think it would work fine for buildpack images today - it just operates on whatever has been pushed to a registry directly. If there are any other interesting lifecycle points in buildpack that would make sense to plug this into please let me know!
Thanks for letting us know about it, @dlorenc ! (also, thanks for your very enjoyable blog posts on container/go subjects!)
We definitely should look into that. Is this the right forum in asking how you think it'll work together/separately from notary?
Sure! Here or I'm happy to chat over email/video!
@dfreilich - let me know if you'd like to catch up here, I think we can probably help out with the integration if you're interested!
@dlorenc looking forward to checking out your presentation in CNB office hours on 6/10/21! Link for those interested.
@dfreilich Are there any updates wrt pack integrating with cosign? Happy to be pointed to a bunch of docs / roadmaps around pack signing images in general
@DennisDenuto - we were just talking about this during the office hours today - we will be working on an RFC to start the conversation around cosign integration with buildpacks. You can track https://github.com/buildpacks/rfcs/issues/192 for now.
This one is still block by RFC-192 and we anticipate we will be taking a look into it during our second half of the year
i want use buildpack. is it support image digital signatures?
ref: https://docs.docker.com/engine/security/trust/content_trust/