Open naveensrinivasan opened 2 years ago
The right thing to do is not have private keys
(to sign) secured within any machine that could be compromised. It is a question of when and not if. The keyless is one the best options https://github.com/sigstore/cosign/blob/main/KEYLESS.md which helps in signing with keeping the private key in memory.
This along with https://github.com/github/roadmap/issues/249 OIDC provider by GitHub should allow automated signing without storing secrets within GitHub.
Background
Supply chain security is critical. Signing docker containers is one of the ways to ensure the image pushed to the registry is actually what was built.
https://github.com/sigstore/cosign provides a simple way to sign containers and the signature is stored in the OCI resgitry along with the image as an SHA
How to sign the container