-
Notifications
You must be signed in to change notification settings - Fork 164
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Sign images before upload to registry #1266
Comments
That currently isn’t possible because the upload happens as part of the lifecycle export step and signing happens after the lifecycle finishes executing in the completion step. This would only be possible if the lifecycle supported signing natively |
Maybe kpack could attempt to do signing before it tries to retrieve the build metadata in the completion step as a way to get around this. |
PR #1296 enables building an image in a repo with a policy that disallows pulling unsigned images. Previously this would fail in the "completion" phase with error message:
|
Is it possible to have kpack sign the image before upload (Cosign 2.1.0 can now do this) so that when there's a policy (for example in Harbor) to not allow pull of unsigned images, then kpack can complete the build without fail.
Message received during image build with kpack when Harbor does not allow pull of unsigned images:
unable to fetch app image: GET : PROJECTPOLICYVIOLATION: The image is not signed in Cosign.
See:
Cosign 2.1.0 feature: Allow cosign to sign digests before they are uploaded. (sigstore/cosign#2959)
The text was updated successfully, but these errors were encountered: