-
Notifications
You must be signed in to change notification settings - Fork 87
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Support image signing and verification #295
Comments
One blocker of adding Cosign is that there is one step in cosign that requires users passing cosign password as environment variable.
If Lima wants to suppport env pass-through by Otherwise, we will need to inject Will inject |
Another blocker is in the latest Cosign 2.0.0, |
This change updated the OS image which includes Cosign binary. The overall Finch size will increase by around 40MB with this OS image. As there are other pending Cosign changes, we may need to only package Cosign which increases 40MB size, but without making Cosign work in the next version. Considering the size increasing is not significant and it will anyways increase later, I think it is ok to not revert the OS image change. Let me know if anyone has concerns. cc @estesp @pendo324 |
) #295 *Description of changes:* Add COSIGN_PASSWORD env pass-through to allow users use Cosign. The feature should be experimental as it is experimental in Nerdctl. As Finch points to Nerdctl documentation today, users could see Cosign feature is experimental in Nerdctl documentation so will not mention experimental in Finch explicitly. *Testing done:* The tests only covers signing by push and verification by pull and run with the keys as MVP. The tests won't pass until the [changed](containerd/nerdctl#2109) is integrated to Finch. Tested locally that it can work with this change in Nerdctl. - [ X ] I've reviewed the guidance in CONTRIBUTING.md #### License Acceptance By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license. Signed-off-by: Ziwen Ning <ningziwe@amazon.com>
Logging the recent work of Cosign experiemental support here:
|
About Notation, Nerdctl Notation integration is done. containerd/nerdctl#1974 The major blocker of Finch Notation integration is Docker credential sharing (Issue). Without it, Notation login and logout are required to manage Notation credentials. Providing extra commands in Finch or asking users to log in Finch VM to run it are both not desirable. When the issue is resolved, Notation can share the credentials of Docker/Nerdctl so Finch login/logout can manage it. Once it is completed, we may consider integrating Notation 1.0 RC as experimental support. Before Notation 1.0, there is a risk of spec change, implementation change, and other experience gaps like plugin installation(Issue) and local key signing(Issue). So the full support in Finch will be after Notation 1.0. |
Notation 1.0 is out: https://github.com/notaryproject/notation/releases/tag/v1.0.0 |
What is the problem you're trying to solve?.
Nerdctl has signing and verification by Cosign and Notation as experimental features today.
https://github.com/containerd/nerdctl/blob/main/docs/cosign.md
https://github.com/containerd/nerdctl/blob/main/docs/notation.md
However, without the binaries installed in Finch VM, the signing and verification related functionalities are not working in Finch and would throw
Describe the feature you'd like
Package Cosign and Notation in Finch VM.
Additional context
Add any other context or screenshots about the feature request here.
The text was updated successfully, but these errors were encountered: