Uploaded image for project: 'Cluster Integration and Delivery'
  1. Cluster Integration and Delivery
  2. CLID-280

Estimate OCPSTRAT-1417 / OCPSTRAT-1869 [Signature Mirroring feature]

XMLWordPrintable

    • Icon: Spike Spike
    • Resolution: Done
    • Icon: Normal Normal
    • None
    • None
    • oc-mirror
    • None
    • Product / Portfolio Work
    • False
    • Hide

      None

      Show
      None
    • False
    • None
    • None
    • CLID Sprint 263, CLID Sprint 264, CLID Sprint 266

      The below todo list is for implementing support for OCI 1.1 referrers .
      OCPSTRAT-1869 has since been rescoped to cosign attachment based signatures only.
      Todo list:

      • Understand all the requirements (attestations for example [OUT OF SCOPE])
        • Description & examples (build attestations) can be found here
      • Find the SMEs that can assist with this
      • [OUT OF SCOPE] Find out plans of c/image regarding OCI 1.1referals
      • Find out if c/image's copy copies signatures along with images (when tag-based is found)
        •  Yes, provided that the config in /etc/containers/registries.d/ for both source and destination registries have use-sigstore-attachments: true
        • For manifest lists, are all signatures copied? I had a feeling only the amd64 and the manifest list signatures were copied. arm64, and other manifests don't seem to have signatures
      • [OUT OF SCOPE] Find out if c/image's copy copies attestations
      • [OUT OF SCOPE] Find out plans of distribution/distribution (oc-mirror cache) regarding OCI 1.1 referals
      • Find out whether oc-mirror is expected to verify all the signatures or just copy them
      • Find out if we are supposed to support all sigstore signatures or just the ones signed by ART/RedHat
      • Find out if the ART/Redhat signatures are signed by PGP or if they require access to Rekor and other Sigstore external systems (Certificate authorities, certificate repositories, etc)
      • Find out if oc-mirror needs to describe the disconnected process to verify these signatures
      • No access to external systems (sigstore related) for enclaves
      • Archives generated by oc-mirror v2 are differential: this means that ImageBlobGatherer discovers and copies all blobs belonging to the manifests, but today doesn't explore signatures attached...
      • Is it possible that c/Image copy needs a different set of configurations per image (policy, signByFingerPrint, signBySigstorePrivateKey, signIdentity, etc)?
      • Should oc-mirror verify signatures? or only copy them?
      • Should we implement a new signature verification for releases? today's version is based on something that resembles lookaside, but not exactly...
      • Is the configMap generation still necessary?
      • Are oci catalogs expected to be signed? what does that oci catalog folder look like? can we mirror those signatures?

              rh-ee-aguidi Alex Guidi
              skhoury@redhat.com Sherine Khoury
              None
              None
              None
              Votes:
              0 Vote for this issue
              Watchers:
              6 Start watching this issue

                Created:
                Updated:
                Resolved: