DSC icon indicating copy to clipboard operation
DSC copied to clipboard
verified publisher icon PowerShell

Signing resource manifests

Open SteveL-MSFT opened this issue 1 year ago • 1 comments

Summary of the new feature / enhancement

Need a way to sign a resource manifest to ensure it hasn't been tampered. The manifest should include a hash of the executable or the thumbprint of it's signature otherwise the resource manifest is trusted, but uses a bogus executable.

Proposed technical implementation details (optional)

No response

SteveL-MSFT avatar Feb 24 '24 22:02 SteveL-MSFT

Also worth noting that we should consider as at least related SBOMs. If I care about the manifest being signed, I also probably care about the SBOM for a resource.

Relatedly, I discovered the GitHub uses cosign for artifact and sbom attestations - and that the rust library for cosign/sigstore is under active development. This could make for an easier path towards having a built-in model for this domain when we approach signed resources, especially in consideration with publishing them to an OCI Registry (see #92).

michaeltlombardi avatar Sep 06 '24 20:09 michaeltlombardi