Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Signed images support #59

Closed
ttttodorov opened this issue Sep 29, 2022 · 1 comment
Closed

Signed images support #59

ttttodorov opened this issue Sep 29, 2022 · 1 comment
Assignees
Labels
feature New feature or request security Security improvement
Milestone

Comments

@ttttodorov
Copy link

ttttodorov commented Sep 29, 2022

Making sure a solution works with trusted container images is an important security aspect that has to be covered by any container management solution.

Different projects have already addressed the issue:

  • moby's with Notary - obsolete v1 supported and integrated by Docker, v2 - to be scheduled for a future release if/when stable
  • sigstore's Cosign - production-ready supported and integrated by different RedHat solutions

Based on the possible options and their status, Cosign can be integrated as a first step to enhance the security of the Kanto container management component for signed images support and verification.

Tasks:

@e-grigorov e-grigorov added the feature New feature or request label Sep 29, 2022
@e-grigorov e-grigorov moved this to Todo in Eclipse Kanto Sep 29, 2022
@konstantina-gramatova konstantina-gramatova changed the title Signed artefact validation on Edge Signed images support Sep 29, 2022
@konstantina-gramatova konstantina-gramatova added this to the M3 milestone Sep 29, 2022
@e-grigorov e-grigorov added the security Security improvement label Oct 6, 2022
@dimitar-dimitrow dimitar-dimitrow self-assigned this Oct 11, 2022
@dimitar-dimitrow dimitar-dimitrow moved this from Todo to In Progress in Eclipse Kanto Oct 11, 2022
@k-gostev k-gostev modified the milestones: M3, M4 May 30, 2023
@dimitar-dimitrow dimitar-dimitrow modified the milestones: M4, M5 Oct 30, 2023
@dimitar-dimitrow
Copy link
Contributor

dimitar-dimitrow commented Nov 21, 2023

As this task was delayed in time, here is an update for the current container image signing perspective. While the OCI image spec does not have an official 1.1.0 release, it is on it's fifth release candidate and official 1.1.0 version is expected soon. The main feature in OCI image spec 1.1.0 is to natively store, discover, and pull a graph of content(signatures, SBoM and etc.) associated with specific container images in a registry. The notary/notation-go(aka notary v2) is a library that supports Notation sign, verify, push, pull of OCI artifacts, which adopts the 1.1.0 OCI image spec.

Kanto Container Management must adhere to OCI spec and provide signed image verification using notary instead of cosign.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
feature New feature or request security Security improvement
Projects
Status: Done
Development

No branches or pull requests

5 participants