Sign provenance files #92
Comments
|
@pieterlexis yes integrating the attaching to docker images or auto uploading to Github releases can be done from separate PR. |
|
I would be interested in working on this PR ✋ 😄 |
|
For Docker Images, I have been looking at the implementation within Tekton Chains... and I can see it could be possible to do something similar here too I wonder if this should be integrated as part of the
That way, you can be sure that the attestation has not been modified / compromised before it makes it to the registry. I wonder if it would be worthwhile for me to expand on #88 so someone can just call a flag that allows a user to achieve all of this for a docker image. As far as I can see with SLSA, this is a common flow for anyone wanting to generate Level 2 Provenance for an image. |
|
@ChaosInTheCRD what you have shared in your workflow tryout https://github.com/ChaosInTheCRD/mic-test/runs/4514052305?check_suite_focus=true is exactly what we would like to achieve once this PR and #88 are merged in a single line command. @pieterlexis could you also have a look at @ChaosInTheCRD his workflow we can achieve this with the combination of both PR's? |
|
The If you want to sign the provenance about the container, my action could do that as long as the provenance is in the same format. |
Signing of provenance files should allow for compatibility with:
Both Cosign and notation allow for attaching additional artefacts to the image. Eventually this signed provenance should also be attachable to the container image (#88). That would allow us to fetch the provenance for a given docker image and use the tooling (notation/cosign) to verify the signature.
The text was updated successfully, but these errors were encountered: