retina icon indicating copy to clipboard operation
retina copied to clipboard
verified publisher icon microsoft

Sign container images

Open rbtr opened this issue 1 year ago • 3 comments

Is your feature request related to a problem? Please describe. Images pushed to GHCR are not signed.

Describe the solution you'd like Images pushed to GHCR should be signed to verify integrity and establish chain of trust.

Additional context GitHub recommends https://github.com/sigstore/cosign-installer per https://github.blog/2021-12-06-safeguard-container-signing-capability-actions/ so this does not seem like it would be very complicated to enable. Open to alternatives from anyone with experience signing images in GHA.

rbtr avatar Mar 26 '24 16:03 rbtr

sigstore (cosign?) can also be used to sign the OCI helm chart https://helm.sh/docs/topics/registries/#using-sigstore-to-sign-oci-based-charts

rbtr avatar Mar 26 '24 17:03 rbtr

I made a PR to address this one. Please help assign and review if possible. Thanks!

hainenber avatar Mar 27 '24 16:03 hainenber

assigned you this issue

rbtr avatar Mar 27 '24 17:03 rbtr