Signing of images within a porter bundle is not possible

[scottbuckel]

Is your feature request related to a problem? Please describe. When bundles are published using porter publish images in the porter.yaml file are tagged and pushed to the specified repository. If you are using the helm mixin, it is also updated with the location of these images. This is great except there is no way to then sign that image for use with an admissions controller in k8s.

Describe the solution you'd like Give the opportunity to sign the image (and the bundle itself?) with a tool such as signy (https://github.com/cnabio/signy)

Describe alternatives you've considered

1. Do not use thick bundles - this isn't great for an air-gapped solution especially
2. Publish images yourself - but if you publish images yourself, helm won't substitute them.

Additional context @carolynvs via slack: We are planning on integrating signy into Porter directly but that won’t happen until later this year. Let me see if @radu-matei can help answer your question about how to make Porter’s relocation work with signy. I’ll get back to you with his answer. Me: So for now I guess the only workaround is to not include the image in a thick bundle, use a thin bundle and sign it outside of porter, push it to the repo separately, and reference it from within your bundle/helm charts...which kind of defeats the purpose of signing the whole bundle @carolynvs Yeah I see the problem, hopefully we can come up with a viable workaround after I chat with Radu, we will figure something out, even if it’s a bit of temporary fix

[radu-matei]

Hi! I agree that the current state is far from ideal. Specifically, the OCI community is working on V2 for Notary, which would be native to registries and which would allow implementations to move signature data from one registry to another.

Until then, there is a scenario in which image signatures could be verified for thick bundles:

• sign images in bundle and push trust metadata to Notary server
• push images and bundle to a container registry
• make a thick bundle and move to airgapped environment
• hydrate an offline registry and generate a relocation mapping
• assuming content and digests have not been modified, verify the current images from the airgapped registry against the original metadata in the Notary server - this step, however, requires an outward request to the trust server from the airgapped environment. An alternative approach could be to also setup a local / offline Notary server along with the registry, in the airgapped network, and re-sign the images there after they have been verified.

If the Porter binary pushed the images to a registry, and the signature to the trust server (using the Signy packages - https://github.com/cnabio/signy/blob/main/pkg/tuf/sign.go), then it could be pointed to the same trust server after the thick bundle reached the airgapped environment, and I'd be happy to help people make this work in Porter.