-
Notifications
You must be signed in to change notification settings - Fork 11
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
fix: Updating policy.json to properly verify images #84
Comments
After conversations in the ublue discord, we found the following bits of information: // FIXME: Match more subject types? Cosign does:
// - .DNSNames (can’t be issued by Fulcio)
// - .IPAddresses (can’t be issued by Fulcio)
// - .URIs (CAN be issued by Fulcio)
// - OtherName values in SAN (CAN be issued by Fulcio)
// - Various values about GitHub workflows (CAN be issued by Fulcio)
// What does it… mean to get an OAuth2 identity for an IP address?
// FIXME: How far into Turing-completeness for the issuer/subject do we need to get? Simultaneously accepted alternatives, for
// issuers and/or subjects and/or combinations? Regexps? More?
Further development could go into a workflow in |
@gerblesh just posted this in the Ublue discord. Something to follow |
Another related issue coreos/rpm-ostree#4272 |
What you're after appears to be completely broken/unsupported by the underlying libraries used. Until Red Hat improves them (or you choose to do so and donate your work to Red Hat -- assuming their maintainers agree to merge your changes) your only option is to use static key files which in my opinion adds so little security as to be not worth the effort. |
It is also required for secure boot to work AFAIK. |
Container signing has absolutely nothing to do with EFI secure boot. At all. Ever. |
Sure, ok, that might be a misconception that I've gotten from somewhere. I could not find much information either way online, and I'm too lazy to test it out lol. Regardless, it's a standard way to add a little bit of security by making it possible to verify that a published image was signed with a key from the maintainer. |
We need to look into some workflow to handle properly verifying images before rebasing on a signed keyless image.
The text was updated successfully, but these errors were encountered: