ralflang
commented
2 years ago Just to ensure we're talking about the same thing: https://blog.sigstore.dev/cosign-image-signatures-77bab238a93 this, right?
It does make sense to introduce something like that but I think we should first improve our naming and tagging, including the supporting pipeline. So far we only maintain a latest-greatest tag for each different flavour/dimension of the image
- Base OS and PHP Version openSUSE 15.3 / PHP 7.4 vs openSUSE Tumbleweed / PHP 8.1
- Image content (base install, groupware or groupware with webmail)
- Runtime: cli, apache, fpm (tbd)
We should add some logic to keep tags for at least one "known good" and recent builds. And these should be signed.
Since the cosign can be used to verify container images are there any plans to do so and provide a cosign public key for validation?