image signature verification

[akshaykumar-vijapur]

Hi,

I need to verify the images which are signed by skopeo. It appears that image verification can be achieved by employing the skopeo copy command alongside a designated policy, facilitating image download and subsequent signature verification. Are there any existing methods through which image signatures can be verified without necessitating image download

is there any way where we can verify the signature of the image without downloading them ?

[mtrmac]

Thanks for reaching out.

There are ways to implement that, but the main question to ask is “what good does verifying an image without download do”? The registry where the image is hosted can always change what it serves, so “the image passed verification one second ago” is, without more constraints and without a careful process ensuring those constrains, not useful for making any decisions.

Hence the policy, with the intent that it is enforced in the actual consumer of the image.

[akshaykumar-vijapur]

What are the other ways to verify the image signature without policy

[akshaykumar-vijapur]

We are trying to verify 100's of images, so need to do verification as quick as possible

[akshaykumar-vijapur]

Right now downloading all images and verifying the images is taking lot of time

[mtrmac]

A somewhat flippant, and admittedly not directly helpful, answer is that if you have to ask, you should use the policy, at the actual consumer of the image, or perhaps at the point of ingress into a larger trusted system.

Compare https://github.com/containers/skopeo/issues/560 .

[akshaykumar-vijapur]

@mtrmac I agree with you. But right now to solve my problem what is your suggestion ?

[akshaykumar-vijapur]

right now I don't see any options ? please help

[mtrmac]

“write your own code that calls the containers/image library to verify a remote image against a policy, and don’t publish the result”.

[github-actions[bot]]

A friendly reminder that this issue had no activity for 30 days.