Closed Vincinator closed 1 month ago
Checked Annotation Rules. I see no issue with using annotations for storing signed object* and signature.
*signed object: the string that contains target digest + metadata
I could not find consensus in the oci-spec repository on signing, could not find a clear favourite that will emerge in the next time.
We may consider also using https://github.com/notaryproject/notary, but for now we do not plan to use this.
TODO: need to input version as this should be part also of string that should be signed
TODO: we also need to add verification of signatures before we edit add a manifest. For example, if we attach a layer, we need to make sure that the old signature of the manifest entry was valid. Otherwise, we would make something that was invalid before valid without directly checking it.
e.g.:
EDIT: done ✅
TODO: we also need to add verification of digests. The signed-data contains a digest, which is a sha256 hash of the respective blob (if layer) or json (if manifest).
If the blob or manifest is modified, the digests also changes in the registry. gl-oci should also verify digest where possible, but in theory it should not be required, because the oct-registry would not allow to host mismatching digests, with the potential implementation dependent exception of entries in the oci-index.
Therefore we just make sure to verify digests wherever we use the digest.
EDIT: done ✅
TODO: verification of signatures fails
Requirements
Thanks @nkraetzschmar
Integration into Pipelines