container image signature verification at containerd

[arronwy]

What is the problem you're trying to solve

Allow image singing verification at container runtime, currently docker and cri-o already support this feature.

I only found a containerd/cri#624 discussing this issue before, not sure current status of this feature in containerd.

Describe the solution you'd like

https://kubernetes.io/blog/2023/06/29/container-image-signature-verification/
https://docs.docker.com/engine/security/trust/

Additional context

No response

[AkihiroSuda]

Seems a duplicate of

• [transfer] plugin to transfer service for image verification #6691

[arronwy]

Thanks @AkihiroSuda , I found image verification works with ctr command, but failed for CRI images, do we have issue to track this feature for CRI images?

ctr image pull --local=false index.docker.io/library/alpine@sha256:c75ac27b49326926b803b9ed43bf088bc220d22556de1bc5f72d742c91398f69
ctr: rpc error: code = Unknown desc = image verifier bindir blocked pull of index.docker.io/library/alpine@sha256:c75ac27b49326926b803b9ed43bf088bc220d22556de1bc5f72d742c91398f69 with digest sha256:c75ac27b49326926b803b9ed43bf088bc220d22556de1bc5f72d742c91398f69 for reason: verifier verifier rejected image (exit code 1): Rejected

crictl pull index.docker.io/library/alpine@sha256:c75ac27b49326926b803b9ed43bf088bc220d22556de1bc5f72d742c91398f69
Image is up to date for sha256:24c8ece58a1aa807c0d8ea121f91cee2efba99624d0a8aed732155fb31f28993