-
Epic
-
Resolution: Unresolved
-
Critical
-
None
-
None
-
None
-
enable cosign
-
False
-
None
-
False
-
Not Selected
-
To Do
-
OCPSTRAT-1245 - Add sigstore signatures to core OCP payload and enable CVO to verify these
-
-
100% To Do, 0% In Progress, 0% Done
CVO needs to add the ability to validate sigstore signatures for RH content.
This is part of Red Hat's overall sigstore strategy.
Today, Red Hat uses "simple signing" which uses a gpg key and a separate file server to host signatures for container images.
cosign is on track to be an industry standard container signing technique. The main difference is that, instead of signatures being stored in a separate file server, the signature is stored in the same registry that hosts the image.
Design document / discussion from software production: https://docs.google.com/document/d/1EPCHL0cLFunBYBzjBPcaYd-zuox1ftXM04aO6dZJvIE/edit
Demo video: https://drive.google.com/file/d/1bpccVLcVg5YgoWnolQxPu8gXSxoNpUuQ/view
Software production will be migrating to the cosign over the course of 2024.
ART will continue to sign using simple signing in combination with sigstore signatures until SP stops using it and product documentation exists to help customers migrate from the simple signing signature verification.
Questions:
*
Acceptance criteria
- CVO needs to verify the new sigstore signatures for OCP release payload component images
- Once oc mirror stores sigstore signatures, CVO must be able to verify when the sigstore signature is stored in a mirror
- Support refers API for fetching the signature
- is related to
-
OTA-1267 Cincinnati compatibility with Cosign / Sigstore signatures
-
- To Do
-
- links to
