connaisseur icon indicating copy to clipboard operation
connaisseur copied to clipboard

Published 20 hours ago verified publisher icon sse-secure-systems

Add public signature data for connaisseur itself to github repo

Open xopham opened this issue 3 years ago • 2 comments

Describe the feature The public signature information for connaisseur itself should be added to the github repository for Notary v1 and also Cosign

Optional: Is your feature request related to a problem? Please describe. This would allow pinning the public key to the one provided via the Github repository

Optional: Implementation ideas The pubkey files (for Notary v1, Cosign and future solutions) could be placed in the repo and a section providing the key and how to verify could be added to the README.md before 'Additional Information'. It could be similar to https://github.com/GoogleContainerTools/kaniko#verifying-signed-kaniko-images .

xopham avatar Apr 10 '21 12:04 xopham

This is done, isn't it @xopham ? https://github.com/sse-secure-systems/connaisseur/blob/master/helm/values.yaml#L85

Starkteetje avatar Oct 15 '21 14:10 Starkteetje

well, that could be displayed separately as for an initial rollout, one would have to verify the connaisseur validation manually and we may want to provide the public key etc, e.g. as released package

xopham avatar Apr 29 '22 14:04 xopham