search

carvel-dev / kapp-controller

Continuous delivery and package management for Kubernetes.
https://carvel.dev/kapp-controller
Apache License 2.0
262 stars 101 forks source link

[App CR] Support signature verification for fetched artefacts using Sigstore #1078

Open ThomasVitale opened 1 year ago

ThomasVitale commented 1 year ago

Describe the problem/challenge you have When fetching artefacts as part of the App CR, it would be great if it was possible to verify their signature in advance (Git commits, OCI images...). This could be added once vendir gets the Sigstore integration as per https://github.com/carvel-dev/vendir/issues/92.

There's a similar issue about doing the same, but only for Git commits when using GPG: https://github.com/carvel-dev/kapp-controller/issues/6.

Vote on this request

This is an invitation to the community to vote on issues, to help us prioritize our backlog. Use the "smiley face" up to the right of this comment to vote.

👍 "I would like to see this addressed as soon as possible" 👎 "There are other more important things to focus on right now"

We are also happy to receive and review Pull Requests if you want to help working on this issue.

neil-hickey commented 1 year ago

Yes! We have been thinking about this for a while, and it's coming up as a strong 'yes please' from the community. As you mentioned it's got to be implemented in imgpkg first, so I will 'untriage' this issue, and leave it open so we can update it when this work is scheduled, thanks as always @ThomasVitale !