[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: OCP Image Signing

On May 3, 2019, at 4:59 PM, Grace Thompson <barfingcat11 gmail com> wrote:

We'd like to implement image signing for our imagestreams. We are unable to use `atomic cli` or skopeo to sign the images since we support other OS's and not just rpm based distros. 

If you would clarify - what part of “rpm based distros” impacts signing for you?

There seems to be a way to write signatures using the registry API as written here:

My question is about the signature.json payload. How is this file generated? Do we still need to sign the images first using `atomic cli` or skopeo? Is there a more generic way of signing the image streams?  

What are you trying to sign?

An atomic container signature is a detached signature identifying an image by its digest (which is a cryptographically strong verification of particular contents of that image).

Signing an image stream rarely makes sense, unless you are trying to prove that a particular set of tags were applied to a particular set of digests.  Knowing more about your use case will help answer your question.


"version": 2,

"type": "atomic",

"name": "sha256:4028782c08eae4a8c9a28bf661c0a8d1c2fc8e19dbaae2b018b21011197e1484 cddeb7006d914716e2728000746a0b23",

"content": "<cryptographic_signature>"


users mailing list
users lists openshift redhat com

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]