Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Support digital signatures for application images #268

Open
phantooom opened this issue Aug 26, 2019 · 13 comments
Open

Support digital signatures for application images #268

phantooom opened this issue Aug 26, 2019 · 13 comments
Labels
status/blocked Issue or PR that is blocked. See comments. type/enhancement Issue that requests a new feature or improvement.

Comments

@phantooom
Copy link

phantooom commented Aug 26, 2019

i want use buildpack. is it support image digital signatures?

ref: https://docs.docker.com/engine/security/trust/content_trust/

@jromero jromero added the status/triage Issue or PR that requires contributor attention. label Feb 5, 2020
@natalieparellano natalieparellano added the type/support Issue with general questions or troubleshooting. label Feb 5, 2020
@natalieparellano
Copy link
Member

This probably requires further investigation on our part. See related conversation here: buildpacks/lifecycle#180

@natalieparellano natalieparellano added status/discussion-needed Issue or PR that requires in-depth discussion. type/enhancement Issue that requests a new feature or improvement. and removed status/triage Issue or PR that requires contributor attention. type/support Issue with general questions or troubleshooting. labels Feb 6, 2020
@dfreilich
Copy link
Member

Hi @phantooom , I was looking into this a bit more, and I'd like to understand the use case. Were you looking to sign an image through pack? Were you looking to only consume signed images through pack?

@dfreilich dfreilich added this to the 0.14.0 milestone Aug 12, 2020
@jabrown85
Copy link
Contributor

Hello again @phantooom, do you still have a use case that requires digital signatures? Can you elaborate more on your specific use case?

@jromero jromero modified the milestones: 0.14.0, 0.15.0 Sep 16, 2020
@dfreilich
Copy link
Member

This hopefully will be started through buildpacks/docs#203 (signing issues post use of pack) and https://github.com/notaryproject/nv2/issues/19 (signing images/restricting to signed images in the use of CNBs

@dfreilich dfreilich changed the title digital signatures support Support digital signatures Feb 3, 2021
@dfreilich dfreilich added status/blocked Issue or PR that is blocked. See comments. and removed status/discussion-needed Issue or PR that requires in-depth discussion. labels Feb 3, 2021
@dlorenc
Copy link

dlorenc commented Mar 21, 2021

I'm working on a project to help out with image signing and would love to make it work well with buildpacks. You can check out the docs here: github.com/sigstore/cosign

I think it would work fine for buildpack images today - it just operates on whatever has been pushed to a registry directly. If there are any other interesting lifecycle points in buildpack that would make sense to plug this into please let me know!

@dfreilich
Copy link
Member

Thanks for letting us know about it, @dlorenc ! (also, thanks for your very enjoyable blog posts on container/go subjects!)

We definitely should look into that. Is this the right forum in asking how you think it'll work together/separately from notary?

@dlorenc
Copy link

dlorenc commented Apr 4, 2021

Sure! Here or I'm happy to chat over email/video!

@dlorenc
Copy link

dlorenc commented May 7, 2021

@dfreilich - let me know if you'd like to catch up here, I think we can probably help out with the integration if you're interested!

@natalieparellano
Copy link
Member

@dlorenc looking forward to checking out your presentation in CNB office hours on 6/10/21! Link for those interested.

@DennisDenuto
Copy link

DennisDenuto commented Nov 19, 2021

@dfreilich Are there any updates wrt pack integrating with cosign? Happy to be pointed to a bunch of docs / roadmaps around pack signing images in general

@sambhav
Copy link
Member

sambhav commented Nov 19, 2021

@DennisDenuto - we were just talking about this during the office hours today - we will be working on an RFC to start the conversation around cosign integration with buildpacks. You can track buildpacks/rfcs#192 for now.

@jjbustamante
Copy link
Member

This one is still block by RFC-192 and we anticipate we will be taking a look into it during our second half of the year

@natalieparellano natalieparellano changed the title Support digital signatures Support digital signatures for application images Jul 1, 2024
@whg517
Copy link

whg517 commented Aug 21, 2024

I am also looking for a mirror build solution that can easily support the signature feature and found that this issue has been stalled for a long time.

I'm still doing technical research to share a similar implementation: Container Image Sign and Verify with cosign tool

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
status/blocked Issue or PR that is blocked. See comments. type/enhancement Issue that requests a new feature or improvement.
Projects
None yet
Development

No branches or pull requests

10 participants