-
Feature
-
Resolution: Done
-
Critical
-
None
Note: There is no work pending from OTA team. The Jira tracks the work pending from other teams.
We started the feature with the assumption that CVO has to implement sigstore key verification like we do with gpg keys.
After investigation we found that sigstore key verification is done at node level and there is no CVO work. From that point this feature became a tracking feature for us to help other teams to do "sigstore key verification" tasks . Specifically Node team. The "sigstore key verification" roadmap is here https://docs.google.com/presentation/d/16dDwALKxT4IJm7kbEU4ALlQ4GBJi14OXDNP6_O2F-No/edit#slide=id.g547716335e_0_2075
Feature Overview (aka. Goal Summary)
Add sigstore signatures to core OCP payload and enable verification. Verification is now done via CRIO.
There is no CVO work in this feature and this is a Tech Preview change.
OpenShift Release Engineering can leverage a mature signing and signature verification stack instead of relying on simple signing
Goals (aka. expected user outcomes)
Customers can leverage OpenShift to create trust relationships for running OCP core container images
Specifically, customers can trust signed images from a Red Hat registry and OCP can verify those signatures
Requirements (aka. Acceptance Criteria):
A list of specific needs or objectives that a feature must deliver in order to be considered complete. Be sure to include nonfunctional requirements such as security, reliability, performance, maintainability, scalability, usability, etc. Initial completion during Refinement status.
<enter general Feature acceptance here>
– Kubelet/CRIO to verify RH images & release payload sigstore signatures
– ART will add sigstore signatures to core OCP images
Anyone reviewing this Feature needs to know which deployment configurations that the Feature will apply to (or not) once it's been completed. Describe specific needs (or indicate N/A) for each of the following deployment scenarios. For specific configurations that are out-of-scope for a given release, ensure you provide the OCPSTRAT (for the future to be supported configuration) as well.
These acceptance criteria are for all deployment flavors of OpenShift.
| Deployment considerations | List applicable specific needs (N/A = not applicable) | |
| Self-managed, managed, or both | both | |
| Classic (standalone cluster) | yes | |
| Hosted control planes | yes | |
| Multi node, Compact (three node), or Single node (SNO), or all | ||
| Connected / Restricted Network | ||
| Architectures, e.g. x86_x64, ARM (aarch64), IBM Power (ppc64le), and IBM Z (s390x) | ||
| Operator compatibility | ||
| Backport needed (list applicable versions) | Not Applicable | |
| UI need (e.g. OpenShift Console, dynamic plugin, OCM) | none, | |
| Other (please specify) |
Documentation Considerations
Add documentation for sigstore verification and gpg verification
Interoperability Considerations
For folks mirroring release images (e.g. disconnected/restricted-network):
- oc-mirror need to support sigstore mirroring (OCPSTRAT-1417).
- Customers using BYO image registries need to support hosting sigstore signatures.
- is cloned by
-
-
- In Progress
-
- is related to
-
-
- Under Review
-
-
OTA-1267 Cincinnati compatibility with Cosign / Sigstore signatures
-
- Closed
-
- relates to
-
-
- New
-
-
-
- In Progress
-
