Re: OCP Image Signing
skopeo is available via Homebrew on the Mac - if there’s a gap in function for signing it’s very reasonable to file an issue to ensure it works properly. On May 3, 2019, at 7:32 PM, Clayton Coleman wrote: On May 3, 2019, at 4:59 PM, Grace Thompson wrote: We'd like to implement image signing for our imagestreams. We are unable to use `atomic cli` or skopeo to sign the images since we support other OS's and not just rpm based distros. If you would clarify - what part of “rpm based distros” impacts signing for you? There seems to be a way to write signatures using the registry API as written here: https://docs.openshift.com/container-platform/3.9/admin_guide/image_signatures.html#accessing-image-signatures-using-registry-api My question is about the signature.json payload. How is this file generated? Do we still need to sign the images first using `atomic cli` or skopeo? Is there a more generic way of signing the image streams? What are you trying to sign? An atomic container signature is a detached signature identifying an image by its digest (which is a cryptographically strong verification of particular contents of that image). Signing an image stream rarely makes sense, unless you are trying to prove that a particular set of tags were applied to a particular set of digests. Knowing more about your use case will help answer your question. { "version": 2, "type": "atomic", "name": "sha256:4028782c08eae4a8c9a28bf661c0a8d1c2fc8e19dbaae2b018b21011197e1484@cddeb7006d914716e2728000746a0b23 ", "content": "" } ___ users mailing list users@lists.openshift.redhat.com http://lists.openshift.redhat.com/openshiftmm/listinfo/users ___ users mailing list users@lists.openshift.redhat.com http://lists.openshift.redhat.com/openshiftmm/listinfo/users
Re: OCP Image Signing
On May 3, 2019, at 4:59 PM, Grace Thompson wrote: We'd like to implement image signing for our imagestreams. We are unable to use `atomic cli` or skopeo to sign the images since we support other OS's and not just rpm based distros. If you would clarify - what part of “rpm based distros” impacts signing for you? There seems to be a way to write signatures using the registry API as written here: https://docs.openshift.com/container-platform/3.9/admin_guide/image_signatures.html#accessing-image-signatures-using-registry-api My question is about the signature.json payload. How is this file generated? Do we still need to sign the images first using `atomic cli` or skopeo? Is there a more generic way of signing the image streams? What are you trying to sign? An atomic container signature is a detached signature identifying an image by its digest (which is a cryptographically strong verification of particular contents of that image). Signing an image stream rarely makes sense, unless you are trying to prove that a particular set of tags were applied to a particular set of digests. Knowing more about your use case will help answer your question. { "version": 2, "type": "atomic", "name": "sha256:4028782c08eae4a8c9a28bf661c0a8d1c2fc8e19dbaae2b018b21011197e1484@cddeb7006d914716e2728000746a0b23 ", "content": "" } ___ users mailing list users@lists.openshift.redhat.com http://lists.openshift.redhat.com/openshiftmm/listinfo/users ___ users mailing list users@lists.openshift.redhat.com http://lists.openshift.redhat.com/openshiftmm/listinfo/users
OCP Image Signing
We'd like to implement image signing for our imagestreams. We are unable to use `atomic cli` or skopeo to sign the images since we support other OS's and not just rpm based distros. There seems to be a way to write signatures using the registry API as written here: https://docs.openshift.com/container-platform/3.9/admin_guide/image_signatures.html#accessing-image-signatures-using-registry-api My question is about the signature.json payload. How is this file generated? Do we still need to sign the images first using `atomic cli` or skopeo? Is there a more generic way of signing the image streams? { "version": 2, "type": "atomic", "name": "sha256:4028782c08eae4a8c9a28bf661c0a8d1c2fc8e19dbaae2b018b21011197e1484@cddeb7006d914716e2728000746a0b23", "content": "" } ___ users mailing list users@lists.openshift.redhat.com http://lists.openshift.redhat.com/openshiftmm/listinfo/users