kbld icon indicating copy to clipboard operation
kbld copied to clipboard
verified publisher icon carvel-dev

support signing of images

Open cppforlife opened this issue 4 years ago • 2 comments

Describe the problem/challenge you have

i would like to be able to sign images with cosign that are built by kbld. this should work regardless of the builder i use (similar to tagging).

Describe the solution you'd like

Anything else you would like to add:

  • sister issue in vendir for verifying: https://github.com/vmware-tanzu/carvel-vendir/issues/92
  • should work well with imgpkg picking up signatures during imgpkg copy
  • useful bg content: https://dlorenc.medium.com/policy-and-attestations-89650fd6f4fa

Vote on this request

This is an invitation to the community to vote on issues, to help us prioritize our backlog. Use the "smiley face" up to the right of this comment to vote.

👍 "I would like to see this addressed as soon as possible" 👎 "There are other more important things to focus on right now"

We are also happy to receive and review Pull Requests if you want to help working on this issue.

cppforlife avatar Sep 09 '21 23:09 cppforlife

@cppforlife Thanks for creating this issue. We definitely want to support signing images so the main question is "when" do we want to prioritize this work since it will take some cross-tool collaboration. Any urgency or rough timelines that you'd like to see this work done by?

aaronshurley avatar Sep 14 '21 17:09 aaronshurley

at this point just putting placeholders where i thought functionality should live.

cppforlife avatar Sep 15 '21 16:09 cppforlife