Description

The goal of this feature is to improve container image trust within an organization and between organizations. This feature will provide customers the ability to easily create and verify custom cryptographic signatures for container images. This enables users build a secure container image supply chain with trust from Red Hat all the way to the end consumer.  This is targeted for Podman v4.2, RHEL 8.7/9.1.

Goals

This allows sysadmin, developers, and architects to verify Red Hat signatures, build new container images layers, sign them, and redistribute them online in a standard registry servers like DockerHub.io, Quay.io or on premise registry which complies with OCI standards. Having this ability to verify signatures will enhance content trust from the initial download of a container image from Red Hat, to the final distribution to third party users. This is a security feature which will enhance the customer's level of trust in Red Hat.

Requirements

A list of specific needs or objectives that a Feature must deliver to satisfy the Feature.. Some requirements will be flagged as MVP. If an MVP gets shifted, the feature shifts.  If a non MVP requirement slips, it does not shift the feature.

Acceptance Criteria

A list of specific needs or objectives must be delivered to satisfy the epic.

Since we have already implemented a signing solution with Simple Signing, the spike to investigate cosign should produce something resembling a specific workflow or issue preventing widespread adoption of signing as it currently stands.  At a minimum:

• Current state of the technology
  • Current maintenance state
  • Plan for Red Hat to participate
• A proposed customer centric workflow/use case to measure later implementation success
  • Recommendations on how we can leverage/build enhancements for use in RHEL/OCP
  •  Workflow should be reviewed by PM and OCP
  • This workflow should be the basis of Doc and QE plans for RHEL adoption

What SST and Layered Product should review this?