Closed developer-guy closed 2 years ago
@developer-guy thanks for creating this issue! Sure, we can add this if its non invasive for our pipeline or the end user of the vcluster image
would you mind assigning to @Dentrax? We can handle this with @Dentrax together.
@developer-guy I think he needs to comment on this issue first before I can assign him
@developer-guy @Dentrax This is a super cool idea, and thanks for stepping up to do it :)
@developer-guy @Dentrax Are you all still interested in working on this? :)
Ah yes of course βοΈ thank you for bringing it to my attention, I'm going to complete it soonπ
kindly ping @richburroughs ππ»ββοΈ
Hi cool :) I'm not the person who will approve or merge this but thank you!
Let's sign vCluster binaries with cosign, and make them verifiable for the end-users by providing clear text on the releases page about how they can do it. AFAIK, vCluster uses GitHub Actions to make a new release, so, it is easy to integrate the signing process into the workflow because there is already GitHub action for installing cosign.
But, the question is should we consider using keyless mode or using public/private key pairs while signing binaries/images?
To complete the issue, the followings need to be done:
sign container imagessign binaries, maybe sha256 file only