sign nerdctl binaries and container images with cosign #592
Comments
|
I've been already signing (the SHA256SUMS of) the binaries with my GPG key https://github.com/containerd/nerdctl/releases/download/v0.14.0/SHA256SUMS.asc |
|
yep, I know, but IMHO, signing them with cosign, especially keyless, is a more proper way of doing this. With this approach, we don't need keys to manage or remember their passwords or don't need to be afraid of having them stolen. WDYT? |
I still need to manage my key, remember its password, and be afraid of having them stolen because I use the same key for signing git commits and other stuffs. |
|
I intend to continue using GPG, so let me close this, but we can revisit this again later. |
Let's sign nerdctl binaries with cosign, and make them verifiable for the end-users by providing clear text on the releases page about how they can do it. AFAIK, nerdctl uses GitHub Actions and GoReleaser to make a new release, so, it is easy to integrate the signing process into the workflow because there is already GitHub action for installing cosign.
But, the question is should we consider using keyless mode or using public/private key pairs while signing binaries/images?
Similar efforts:
cc: @Dentrax @AkihiroSuda
The text was updated successfully, but these errors were encountered: