Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Sign released images with sigstore/cosign #1267

Open
mattmoor opened this issue Jul 15, 2022 · 3 comments
Open

Sign released images with sigstore/cosign #1267

mattmoor opened this issue Jul 15, 2022 · 3 comments
Assignees
Labels
priority: p2 Moderately-important priority. Fix may not be included in next release. type: feature request ‘Nice-to-have’ improvement, new feature or different behavior or design.

Comments

@mattmoor
Copy link

Feature Description

Start to sign the published OCI images using a documented identity.

It looks like you are using Google Cloud Build to publish your images, which @dlorenc added support for to get the distroless images signed, e.g.
https://github.com/GoogleContainerTools/distroless/blob/db2d69aa294c7ff414ae12c6ffe578254745a4ca/cloudbuild.yaml#L75

Currently, we inject these sidecars alongside a few of our images, and we'd love to be able to author policies stating that the images we pull down must be signed by your release process, e.g. [email protected]

Alternatives Considered

N/A

Additional Context

If you use Github actions for your releases this is even easier, and I could probably just send a PR, but either way an admin will have to do a bit of IAM setup to support this.

@mattmoor mattmoor added the type: feature request ‘Nice-to-have’ improvement, new feature or different behavior or design. label Jul 15, 2022
@enocom enocom added the priority: p2 Moderately-important priority. Fix may not be included in next release. label Jul 15, 2022
@enocom
Copy link
Member

enocom commented Jul 15, 2022

Thanks for the feature request, @mattmoor. This looks like a nice improvement that shouldn't be too much work.

@mattmoor
Copy link
Author

@enocom LMK if I can be helpful at all here. I'm mattmoor on most slack instances if that's easier.

@enocom
Copy link
Member

enocom commented Aug 29, 2022

Working through the v2 release and related improvements, I still have this on my radar.

@enocom enocom added priority: p1 Important issue which blocks shipping the next release. Will be fixed prior to next release. and removed priority: p2 Moderately-important priority. Fix may not be included in next release. labels Aug 31, 2022
@enocom enocom added priority: p2 Moderately-important priority. Fix may not be included in next release. and removed priority: p1 Important issue which blocks shipping the next release. Will be fixed prior to next release. labels Nov 17, 2022
@enocom enocom assigned jackwotherspoon and unassigned enocom May 1, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
priority: p2 Moderately-important priority. Fix may not be included in next release. type: feature request ‘Nice-to-have’ improvement, new feature or different behavior or design.
Projects
None yet
Development

No branches or pull requests

3 participants