Nathaniel McCallum

@lumjjb Okay. So this is working off the presumption that you have integrity protection for the whole manifest which contains measurements of all the layers. Therefore, there is integrity protection...

@lumjjb Do you refuse to decrypt if the manifest is unsigned?

> > If not, it would be possible to modify one of the intermediate layers in order to gain backdoor access to the plaintext. > > How would that be...

> > @lumjjb Do you refuse to decrypt if the manifest is unsigned? > > That is the choice of the runtime policy, the encryption technology is agnostic to this,...

> How do you get to decrypt the encrypted layers if you don't have the RSA private key? Under this attack, the attacker has access to: 1. one of the...

> My personal recommendation is to sign/verify images always. But I would defer this discussion to the orchestration components (i.e. kubernetes, cri-o, etc.), they are the decision makers in these...

An alternate implementation would include the measurements of each dependent layer inside the AEAD of the encrypted layer.

@lumjjb My point is not that confidentiality != integrity. My point is that you are assembling an executable from parts, some of which are supposed to be secret. But if...

Alternatively, you could do: ```yml on: [push] name: CI jobs: build_and_test: name: Rust project runs-on: ubuntu-latest steps: - uses: actions/checkout@v2 - uses: actions-rs/toolchain@v1 - uses: actions-rs/cargo@v1 with: command: build args:...

@Kylebrown9 Thanks for presenting today. I think this is a good direction overall. However, I'm really uncomfortable with imports being both positional and named arguments by default. This has several...