image icon indicating copy to clipboard operation
image copied to clipboard
verified publisher icon containers

Add hints if required signatures can’t possibly exist

Open mtrmac opened this issue 5 years ago • 1 comments

Currently, signature verification can fail with https://github.com/containers/image/blob/e3293eaa4a81a99f33d1fda1eb9495aec722043f/signature/policy_eval_signedby.go#L118 . That’s technically correct; overall the codebase could be more helpful if signatures can’t possibly be read:

  • because the input transport does not support them at all
  • (Because the image format does not support them?)
  • because registry does not natively support them and no sigstore is configured.

Moving this information from the code that has it to the signature verification implementation should not break any existing ImageSource… implementations, so it might require some care or perhaps bundling with other API breaks.

mtrmac avatar Jul 15 '20 21:07 mtrmac

With c/image/internal/private, we can add fields like this.

mtrmac avatar Dec 09 '22 00:12 mtrmac