connaisseur
connaisseur copied to clipboard
Add public signature data for connaisseur itself to github repo
Describe the feature The public signature information for connaisseur itself should be added to the github repository for Notary v1 and also Cosign
Optional: Is your feature request related to a problem? Please describe. This would allow pinning the public key to the one provided via the Github repository
Optional: Implementation ideas The pubkey files (for Notary v1, Cosign and future solutions) could be placed in the repo and a section providing the key and how to verify could be added to the README.md before 'Additional Information'. It could be similar to https://github.com/GoogleContainerTools/kaniko#verifying-signed-kaniko-images .
This is done, isn't it @xopham ? https://github.com/sse-secure-systems/connaisseur/blob/master/helm/values.yaml#L85
well, that could be displayed separately as for an initial rollout, one would have to verify the connaisseur validation manually and we may want to provide the public key etc, e.g. as released package