Chains should sign and attest to all Image Manifests in an Image Index #1070
Labels
kind/feature
Categorizes issue or PR as related to a new feature.
Comments
arewm
added
the
kind/feature
|
+1 This was discussed in chat a few days ago. The only concern raised was that this behavior should be behind a flag, at least initially. |
|
I think that this feature should be slightly modified. It is valid to have nested image indexes. Therefore, I think that Chains should support signing/attesting all nested Image Manifests and Image Indexes. I can update the original request if you agree that that makes sense. |
|
It does make sense. I'd like to see this behavior in cosign itself. The CLI does have a |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Feature request
If Chains is provided with an Image Index to sign and attest, it should recursively perform this same behavior for all referenced Image Manfiests as well.
Use case
In order to improve the experience for increasing supported architectures for images, some build tasks may choose to always produce Image Index OCI artifacts even if there is only a single architecture referenced. As architectures are added to the Image Index, the Image Manifests should be signed without requiring that the specific pullspecs are included as results on the pipeline.
The text was updated successfully, but these errors were encountered: