Uploaded image for project: 'Container Tools'
  1. Container Tools
  2. RUN-4141

[PQC] Allow requiring tls 1.3/ML-KEM for container-libs - sigstore signing

XMLWordPrintable

    • Icon: Story Story
    • Resolution: Unresolved
    • Icon: Undefined Undefined
    • None
    • None
    • None
    • 8
    • False
    • Hide

      None

      Show
      None
    • False
    • Not Selected
    • rhel-container-tools

      Allow requiring TLS 1.3 and ML-KEM (Post-Quantum Cryptography) support for container-libs in sigstore signing.

      RUN-4080 covers most of container-libs; this tracks the outstanding work:

      • Rekor support for BaseTLS exists, but is not exposed to callers
      • The Fulcio client currently doesn't expose a *tls.Config . We need to either add that upstream, or replace the client.
      • Three different Go modules are involved in the OIDC operations required for Fulcio; at least the sigstore one doesn’t expose a *tls.Config. See whether that can be worked around, and if not, either add that upstream, or replace the code.

      Acceptance Criteria:

      TLS 1.2 remains the default for Podman

      TLS version can be configured in the configuration files to use 1.3

      ML-KEM-exclusive can be enabled

              rhn-engineering-mitr Miloslav Trmač
              ddarrah@redhat.com David Darrah
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

                Created:
                Updated: