Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-79694

policy.json BYOPKI signature verification - RHEL 9.6 0day

XMLWordPrintable

    • No
    • Moderate
    • rhel-sst-container-tools
    • 3
    • False
    • Hide

      None

      Show
      None
    • Yes
    • None
    • None
    • None
    • Technology Preview
    • Hide
      .X.509 certificates certificates are available as a Technology Preview

      The `/etc/containers.policy.json` file now supports the X.509 certificates for container image signatures as a Technology Preview.
      If `pki` is present, the signature must be based on a non-Fulcio X.509 certificate.
      The `"type": "sigstoreSigned"` must be specified.

      Note: This functionality is client-side only; a PKI certificate authority is not included.
      Show
      .X.509 certificates certificates are available as a Technology Preview The `/etc/containers.policy.json` file now supports the X.509 certificates for container image signatures as a Technology Preview. If `pki` is present, the signature must be based on a non-Fulcio X.509 certificate. The `"type": "sigstoreSigned"` must be specified. Note: This functionality is client-side only; a PKI certificate authority is not included.
    • Done
    • Unspecified
    • Unspecified
    • Unspecified
    • All
    • None

      This will be a 0day delivery to supply BYOPKI as specified in this Jira card: https://issues.redhat.com/browse/OCPNODE-2269.  The changes will allow for pki  signature validation.  The code for this is in containers/image at this PR: https://github.com/containers/image/pull/2579

      PKI validation should NOT be on by default.  It should only be a configurable option in policy.json

      This will be delivered as Technical Preview.  The code should be merged on or before February 28, 2025 to upstream repo.  The plan is to create a testable version of Podman v5.4.1 by the following Wednesday, March 5, 2025

      Documentation:

      A release note should be created for the ZeroDay delivery noting the new option and that it is Tech Preview in RHEL 9.6/10.0

      Testing:

      Full regression test without configuration changes.  All tests should pass, and there is no evidence of PKI in use during the test.

      Enable PKI verification and run regression tests.  All tests should pass, and PKI verification should be in use.

       

              tsweeney@redhat.com Tom Sweeney
              tsweeney@redhat.com Tom Sweeney
              Container Runtime Eng Bot Container Runtime Eng Bot
              Container Runtime Bugs Bot Container Runtime Bugs Bot
              Gabriela Necasova Gabriela Necasova
              Votes:
              0 Vote for this issue
              Watchers:
              8 Start watching this issue

                Created:
                Updated: