artifacthub
"Signed" badge for Inspektor Gadget artifacts
Is your feature request related to a problem? Please describe.
When looking at a gadget such as process snapshot, the badges look like:
This is because Inspektor Gadget is not listed in the supported artifacts:
https://github.com/artifacthub/hub/blob/6d5fc48ffe32ea871010ce32aa93e3f7bb35e75b/web/src/layout/common/badges/Signed.tsx#L27-L34
Describe the solution you'd like
The "signed" badge should be on or off depending if the OCI image is signed.
Describe alternatives you've considered
None.
Additional context
The Inspektor Gadget documentation explains how to check if a gadget OCI image is signed with cosign: https://www.inspektor-gadget.io/docs/latest/reference/verify-assets#verify-image-based-gadgets
I don't know if Artifact Hub should follow the same process. Does the "Signed" badge just mean the artifact is signed regardless of the keys used to sign it? Or do you have a set of public keys that are considered trusted by Artifact Hub?
cc @dorser @eiffel-fl @mauriciovasquezbernal
Thanks for bringing this up @alban, we'll look into it 👍
Does the "Signed" badge just mean the artifact is signed regardless of the keys used to sign it?
Yes, that's how it works at the moment. Final verification should be done at the users' end. We have a special annotation for Helm charts that allows publishers specifying the location of the key users can use to verify the signature. We should probably provide something similar for other artifacts kinds.
(from: https://artifacthub.io/docs/topics/annotations/helm/)
