Closed shin-san closed 5 months ago
johnsonshi
commented
1 year ago Hi @shin-san, the team behind Microsoft Artifact Registry is planning to introduce Notation-based signature validation in our roadmap. This will enable consumers of MAR images to validate the authenticity of images. This is being worked on in our roadmap and concrete guidance has not been published yet.
shin-san
commented
1 year ago Thanks for the update, @johnsonshi. Do we have a timeframe on when can we expect the image signing to take effect?
Will there be some backwards compatibility with cosign if that is the preferred method of signature signing and validation?
AndreHamilton-MSFT
commented
5 months ago cc @johnsonshi for updates
johnsonshi
commented
5 months ago Unfortunately, we do not have a clear timeline for all mcr.microsoft.com images to have either Notation-based or cosign-based signature validation.
Hi Team,
I could not find any documentation regarding signature validation of containers, specifically
mcr.microsoft.com/mssql/rhel/serverimages.This can be problematic as this can be an issue for a cluster or container platform that enforces supply chain security validation.
It would be much appreciated to understand which GPG keys to use and the sigstore URL location, or if the images are signed using sigstore cosign stack.