Closed shin-san closed 5 months ago
Hi @shin-san, the team behind Microsoft Artifact Registry is planning to introduce Notation-based signature validation in our roadmap. This will enable consumers of MAR images to validate the authenticity of images. This is being worked on in our roadmap and concrete guidance has not been published yet.
Thanks for the update, @johnsonshi. Do we have a timeframe on when can we expect the image signing to take effect?
Will there be some backwards compatibility with cosign if that is the preferred method of signature signing and validation?
cc @johnsonshi for updates
Unfortunately, we do not have a clear timeline for all mcr.microsoft.com
images to have either Notation-based or cosign-based signature validation.
Hi Team,
I could not find any documentation regarding signature validation of containers, specifically
mcr.microsoft.com/mssql/rhel/server
images.This can be problematic as this can be an issue for a cluster or container platform that enforces supply chain security validation.
It would be much appreciated to understand which GPG keys to use and the sigstore URL location, or if the images are signed using sigstore cosign stack.