ratify icon indicating copy to clipboard operation
ratify copied to clipboard

Published 20 hours ago verified publisher icon ratify-project

Sign Ratify release assets

Open akashsinghal opened this issue 9 months ago • 3 comments

What would you like to be added?

Ratify should sign published GHCR images. Tools like cosign's keyless support can help here.

Anything else you would like to add?

No response

Are you willing to submit PRs to contribute to this feature?

  • [ ] Yes, I am willing to implement it.

akashsinghal avatar May 02 '24 22:05 akashsinghal

Scope here can include publishing SBOM + SLSA provenance intoto attestations using buildx

akashsinghal avatar Jun 10 '24 23:06 akashsinghal

Here is the current proposal. I suggest we iterate on this as need arises:

  • Add signing for both release and dev images. (total of 6 unique images)
  • Integrate signing in both dev asset publishing and release publishing workflows
  • Generate cosign keyless signatures
  • Generate Notary project signatures via notation. This requires maintaining an azure key vault with the certs. The public cert will be published as ratify-verification.crt file in the root of the repo. For now, both release and dev images will be signed with same cert

akashsinghal avatar Jun 12 '24 20:06 akashsinghal

As per discussion in CC 7/24/24, we will open a separate issue to track dev image signing only. Dev image signing will begin as soon as #1629 is merged. We will gather feedback on verification process and then enable for release assets.

akashsinghal avatar Jul 25 '24 17:07 akashsinghal