FabianKramm
commented
2 years ago @developer-guy thanks for creating this issue! Sure, we can add this if its non invasive for our pipeline or the end user of the vcluster image
Closed developer-guy closed 2 years ago
FabianKramm
commented
2 years ago @developer-guy thanks for creating this issue! Sure, we can add this if its non invasive for our pipeline or the end user of the vcluster image
developer-guy
commented
2 years ago would you mind assigning to @Dentrax? We can handle this with @Dentrax together.
FabianKramm
commented
2 years ago @developer-guy I think he needs to comment on this issue first before I can assign him
richburroughs
commented
2 years ago @developer-guy @Dentrax This is a super cool idea, and thanks for stepping up to do it :)
richburroughs
commented
2 years ago @developer-guy @Dentrax Are you all still interested in working on this? :)
developer-guy
commented
2 years ago Ah yes of course βοΈ thank you for bringing it to my attention, I'm going to complete it soonπ
developer-guy
commented
2 years ago kindly ping @richburroughs ππ»ββοΈ
richburroughs
commented
2 years ago Hi cool :) I'm not the person who will approve or merge this but thank you!
Let's sign vCluster binaries with cosign, and make them verifiable for the end-users by providing clear text on the releases page about how they can do it. AFAIK, vCluster uses GitHub Actions to make a new release, so, it is easy to integrate the signing process into the workflow because there is already GitHub action for installing cosign.
But, the question is should we consider using keyless mode or using public/private key pairs while signing binaries/images?
To complete the issue, the followings need to be done:
sign container imagessign binaries, maybe sha256 file only