Support digital signatures for application images

[phantooom]

i want use buildpack. is it support image digital signatures?

ref: https://docs.docker.com/engine/security/trust/content_trust/

[natalieparellano]

This probably requires further investigation on our part. See related conversation here: https://github.com/buildpacks/lifecycle/issues/180

[dfreilich]

Hi @phantooom , I was looking into this a bit more, and I'd like to understand the use case. Were you looking to sign an image through pack? Were you looking to only consume signed images through pack?

[jabrown85]

Hello again @phantooom, do you still have a use case that requires digital signatures? Can you elaborate more on your specific use case?

[dfreilich]

This hopefully will be started through https://github.com/buildpacks/docs/issues/203 (signing issues post use of pack) and https://github.com/notaryproject/nv2/issues/19 (signing images/restricting to signed images in the use of CNBs

[dlorenc]

I'm working on a project to help out with image signing and would love to make it work well with buildpacks. You can check out the docs here: github.com/sigstore/cosign

I think it would work fine for buildpack images today - it just operates on whatever has been pushed to a registry directly. If there are any other interesting lifecycle points in buildpack that would make sense to plug this into please let me know!

[dfreilich]

Thanks for letting us know about it, @dlorenc ! (also, thanks for your very enjoyable blog posts on container/go subjects!)

We definitely should look into that. Is this the right forum in asking how you think it'll work together/separately from notary?

[dlorenc]

Sure! Here or I'm happy to chat over email/video!

[dlorenc]

@dfreilich - let me know if you'd like to catch up here, I think we can probably help out with the integration if you're interested!

[natalieparellano]

@dlorenc looking forward to checking out your presentation in CNB office hours on 6/10/21! Link for those interested.

[DennisDenuto]

@dfreilich Are there any updates wrt pack integrating with cosign? Happy to be pointed to a bunch of docs / roadmaps around pack signing images in general

[samj1912]

@DennisDenuto - we were just talking about this during the office hours today - we will be working on an RFC to start the conversation around cosign integration with buildpacks. You can track https://github.com/buildpacks/rfcs/issues/192 for now.

[jjbustamante]

This one is still block by RFC-192 and we anticipate we will be taking a look into it during our second half of the year