Epic Description

Begin using Sigstore signatures for container signing in RHEL / UBI.

Detailed Sigstore rationale and background here.

There is no work here for the Development Team, this is mostly work for packaging, and possible work for QE and Documentation.

SME: Miloslav Trmac

Goals

Adopting sigstore for signing RHEL/UBI based containers provides a more ergonomic experience for users and is in line with wider container-signing plans.

RHEL/UBI 7/8/9 will continue to have simple-signatures. RHEL 10 images would be sigstore only.

Note: simple-signing code will not be removed from RHEL container tools, so any user re-signing workflows will continue to function.

Requirements

All supported versions of RHEL container tools in RHEL and in layered products must have the code paths and correctly configured policy in order to use UBI10 containers from RHEL9 based systems.

(Optional) Use Cases

Out of Scope

Background, and strategic fit

Assumptions

Customer Considerations

Documentation Considerations

Interoperability Considerations

Questions