-
Epic
-
Resolution: Done
-
Normal
-
None
-
None
-
Signature Mirroring
-
Product / Portfolio Work
-
OCPSTRAT-1869[Phase 1: Cosign tag-based discovery] oc-mirror v2: Discover and mirror SigStore-style attachments
-
8% To Do, 8% In Progress, 85% Done
-
False
-
-
False
-
Not Selected
-
None
-
None
-
31
Open Questions:
Verifying Third-Party Image Signatures: Support verifying the authenticity and integrity of the non-Red Hat (third-party) image signatures using the public keys.
Question 1: How complex would it be to allow users to specify the location of their public keys in the configuration file or pass them as arguments?
Question 2: Is it oc-mirror going to copy the certificate/public key as a resource to the cluster resources folder and ask the customer to apply them?
Question 3: How about certificates?
- Catalog images signatures: scenario when we rebuild the catalog
Question 1: The signature of the catalog rebuilt is not like the original one since we changed the image completely, how is it going to work? Is the cluster going to fail because the signature is not the one expected?
- Support the future OCI 1.1 referrer-based approach:
Question 1: Is the container image prioritizing this implementation on their side? Do we already have the Jira issue about this implementation?
- is related to
-
OCPBUGS-55100 Currently it is not possible to disable signature mirroring by registry / namespace / image
-
- Verified
-
-
-
- Verified
-
-
-
- Verified
-
-
-
- Verified
-
-
-
- Closed
-
- links to