Sign Docker extensions by default using cosign

docker / extensions-sdk

Desktop Extensions SDK

https://docs.docker.com/desktop/extensions-sdk/

Apache License 2.0

141 stars 45 forks source link

Sign Docker extensions by default using cosign #168

Open Dentrax opened 2 years ago

Dentrax commented 2 years ago

We (@developer-guy) thought that we can add cosign support in the boilerplate. Similar to how GitHub did for Action starter workflow. ^1 So that developers can sign their extensions (+ images) by default. Leveraging this gives your users confidence that the extensions they got from Docker's extension market was the trusted code that you built and published.

Furthermore, we can add a signed icon in the Docker Extension UI like how ArtifactHub did as follows:

Screen Shot 2022-05-12 at 16 35 31

cc @dlorenc @cpanato

gtardif commented 2 years ago

Thanks, this is in our backlog. Indeed, this with a badge displayed can increase user confidence