Open MohamedTalhaoui opened 3 years ago
Thanks for pointing out.
Currently, there's no way to do that.
This MAY be do-able but not on the top of the list, if you are interested, any contribution is welcome.
Also, it would be good if replicated images are signed on push to harbor when content trust is enabled.
Not sure about the implementation details, but with some guidance I am keen to have a look at it.
replicated images cannot be signed on push because it's a different notary signer server in the target instance with its own DB and delegations; unless your goal is to just resign the image with a new signature. But it cannot be used to verify integrity as a signed image from the source registry anymore. And replicating a signed artifact and having that signature persist to the target registry is not possible because of upstream Notary project, but a solution is being worked on right now.
Once that's available, blocking replication of unsigned images from within Harbor is as easy as checking a bit. It's the replication of signed images that we don't have a solution for atm.
I'm keeping the blocking unsigned as a requirement in backlog, pending notary v2 solution
Yes my goal is to resign the image with a new signature as it is replicated in Harbor. The idea is I am okay to sign an image on my target registry as long as I can verify it has been signed in the source registry.
I enables "content trust" on an harbor project, pushed a signed image into it, and try to replicate it to an ECR, and it failed as expected because the image is not signed.... so I am not sure to understand when you say that harbor is not able to block replication for unsigned images. Can you precise the issue please ?
Is this now possible with cosign?
This issue is being marked stale due to a period of inactivity. If this issue is still relevant, please comment or remove the stale label. Otherwise, this issue will close in 30 days.
I have an Harbor registry with Content Trust enabled. I have setup a replication rule to replicate nginx/nginx-ingress:latest image from Docker Hub. I know this image is not signed from my docker client:
However this image is still replicated succesfully. My expectation would be that only signed images would be replicated.
Is there a way to block the replication of unsigned images ?