zot icon indicating copy to clipboard operation
zot copied to clipboard

Published 20 hours ago verified publisher icon project-zot

image admission: block uploading images to zot if signature verification fails

Open rchincha opened this issue 3 years ago • 3 comments

zot is cosign-compatible [1]. However zot is only a transit point for images (accept all images) and signing and verification is left to pushers and pullers. Can we setup zot so that if can reject images which fail verification? This just needs the public key of the signers.

[1] https://github.com/sigstore/cosign

rchincha avatar Oct 20 '21 17:10 rchincha

We would need a configuration to specify 1 global public key, and 1 public key / 1 repo for verification. We also need a way to enable this feature or disable it globally or per repo.

We would allow an image to be uploaded, and expect a signature to be uploaded shortly afterwards. If the signature is not uploaded, the image would be deleted.

andaaron avatar Oct 27 '21 16:10 andaaron

Put this under a "pkg/extensions/sign" with its own extension config.

rchincha avatar Oct 27 '21 17:10 rchincha

We'll reconsider this in the future. For now the client will do all verification.

andaaron avatar Jan 19 '22 17:01 andaaron