search

estahn / k8s-image-swapper

Mirror images into your own registry and swap image references automatically.
https://estahn.github.io/k8s-image-swapper/
MIT License
526 stars 42 forks source link

Sigstore signature validation and copying #633

Open reegnz opened 9 months ago

reegnz commented 9 months ago

I've noticed that this project is using skopeo to copy images, that's very cool! Would be great if this project supported validating and copying sigstore signatures as well.

Skopeo utilizes this config format to validate images: https://github.com/containers/image/blob/main/docs/containers-policy.json.5.md It can be instructed to look at signatures using this config format: https://github.com/containers/image/blob/main/docs/containers-registries.d.5.md#individual-configuration-sections

Ideally one should be able to pass the necessary configuration files to skopeo by allowing for custom skopeo args to be configured.

estahn commented 8 months ago

@reegnz Thanks. FYI There is currently a PR (#497) to remove the skopeo dependency and handle image pulling natively. This will use the same libraries as skopeo, so it should still be possible to use above.