Vincinator
commented
1 month ago Checked Annotation Rules. I see no issue with using annotations for storing signed object* and signature.
*signed object: the string that contains target digest + metadata
Closed Vincinator closed 1 month ago
Vincinator
commented
1 month ago Checked Annotation Rules. I see no issue with using annotations for storing signed object* and signature.
*signed object: the string that contains target digest + metadata
Vincinator
commented
1 month ago I could not find consensus in the oci-spec repository on signing, could not find a clear favourite that will emerge in the next time.
We may consider also using https://github.com/notaryproject/notary, but for now we do not plan to use this.
Vincinator
commented
1 month ago TODO: need to input version as this should be part also of string that should be signed
Vincinator
commented
1 month ago TODO: we also need to add verification of signatures before we edit add a manifest. For example, if we attach a layer, we need to make sure that the old signature of the manifest entry was valid. Otherwise, we would make something that was invalid before valid without directly checking it.
e.g.:
EDIT: done ✅
Vincinator
commented
1 month ago TODO: we also need to add verification of digests. The signed-data contains a digest, which is a sha256 hash of the respective blob (if layer) or json (if manifest).
If the blob or manifest is modified, the digests also changes in the registry. gl-oci should also verify digest where possible, but in theory it should not be required, because the oct-registry would not allow to host mismatching digests, with the potential implementation dependent exception of entries in the oci-index.
Therefore we just make sure to verify digests wherever we use the digest.
EDIT: done ✅
Vincinator
commented
1 month ago TODO: verification of signatures fails
Requirements
Thanks @nkraetzschmar
Integration into Pipelines