skopeo
skopeo copied to clipboard
containers
Support github artifact attestation
Github recently launched https://github.blog/changelog/2024-06-25-artifact-attestations-is-generally-available/, which builds on sigstores https://github.com/sigstore/fulcio, https://github.com/sigstore/rekor and https://github.com/sigstore/timestamp-authority
For public repos - there isn't really any concern here, as artifact attestations wraps the public good sigstore instances of fulcio and rekor. ie. the following sigstore config would work to configure signing.
fulcio:
fulcioURL: "https://fulcio.sigstore.dev"
oidcMode: "staticToken"
oidcIDToken: "placeholder"
rekorURL: "https://rekor.sigstore.dev"
I'm more interested for supporting github artifact attestations to ensure that we can use the private path supported by github. Using their own fulcio instance, and timestamp authority for witnessing (note: private repos don't use rekor) which solves having to host your own instances for private repositories that we don't want to leak details about. ie. the following instances: https://fulcio.githubapp.com https://timestamp.githubapp.com
which would need supported in a config such as:
fulcio:
fulcioURL: "https://fulcio.githubapp.com"
oidcMode: "staticToken"
oidcIDToken: "placeholder"
timestampAuthorityURL: "https://timestamp.githubapp.com"
NOTE: timestampAuthorityURL is not a supported field today in containers-sigstore-signing-params.yaml.5 which means this is likely an issue to be created against https://github.com/containers/image as well.
