Skip to content

As a user I can sync container image with its original signature when a sigstore is provided #498

Description

@pulpbot

Author: @ipanova (ipanova@redhat.com)

Redmine Issue: 9507, https://pulp.plan.io/issues/9507


Synced signatures are not verified. Signature verification is offloaded to the client.

If signed_only=True was specified only those images that have signature with be mirrored. Rest of the images will be skipped. If one of the per-arch images does not have a signature, the whole manifest list is skipped, even if some per-arch images in this list have signatures.
sigstore URL needs to be specified ( it's the webserver location of signatures, for example https://registry.redhat.io/containers/sigstore).
Otherwise it will be assumed that the signature is stored on the remote registry in a form of manifest (it most likely was signed with cosign https://github.com/SigStore/cosign#signing-subjects. we will not support this for now) or a separate object (this will be implemented as a part of different story)

Q: does podman/skopeo support verification of cosign signature type? Only atomic type for now https://github.com/containers/image/blob/main/docs/containers-signature.5.md#criticaltype

Metadata

Metadata

Assignees

Labels

No labels
No labels

Type

No type

Fields

No fields configured for issues without a type.

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions