subject:"OCP Image Signing"

Re: OCP Image Signing

2019-05-03 Thread Clayton Coleman

skopeo is available via Homebrew on the Mac - if there’s a gap in function
for signing it’s very reasonable to file an issue to ensure it works
properly.

On May 3, 2019, at 7:32 PM, Clayton Coleman wrote:

On May 3, 2019, at 4:59 PM, Grace Thompson wrote:

We'd like to implement image signing for our imagestreams. We are unable to
use `atomic cli` or skopeo to sign the images since we support other OS's
and not just rpm based distros.

If you would clarify - what part of “rpm based distros” impacts signing for
you?

There seems to be a way to write signatures using the registry API as
written here:

https://docs.openshift.com/container-platform/3.9/admin_guide/image_signatures.html#accessing-image-signatures-using-registry-api

My question is about the signature.json payload. How is this file
generated? Do we still need to sign the images first using `atomic cli` or
skopeo? Is there a more generic way of signing the image streams?

What are you trying to sign?

An atomic container signature is a detached signature identifying an image
by its digest (which is a cryptographically strong verification of
particular contents of that image).

Signing an image stream rarely makes sense, unless you are trying to prove
that a particular set of tags were applied to a particular set of digests.
Knowing more about your use case will help answer your question.

{

"version": 2,

"type": "atomic",

"name":
"sha256:4028782c08eae4a8c9a28bf661c0a8d1c2fc8e19dbaae2b018b21011197e1484@cddeb7006d914716e2728000746a0b23
",

"content": ""

}

___
users mailing list
users@lists.openshift.redhat.com
http://lists.openshift.redhat.com/openshiftmm/listinfo/users
___
users mailing list
users@lists.openshift.redhat.com
http://lists.openshift.redhat.com/openshiftmm/listinfo/users

Re: OCP Image Signing

2019-05-03 Thread Clayton Coleman

On May 3, 2019, at 4:59 PM, Grace Thompson wrote:

We'd like to implement image signing for our imagestreams. We are unable to
use `atomic cli` or skopeo to sign the images since we support other OS's
and not just rpm based distros.

If you would clarify - what part of “rpm based distros” impacts signing for
you?

There seems to be a way to write signatures using the registry API as
written here:

https://docs.openshift.com/container-platform/3.9/admin_guide/image_signatures.html#accessing-image-signatures-using-registry-api

What are you trying to sign?

An atomic container signature is a detached signature identifying an image
by its digest (which is a cryptographically strong verification of
particular contents of that image).

{

"version": 2,

"type": "atomic",

"name":
"sha256:4028782c08eae4a8c9a28bf661c0a8d1c2fc8e19dbaae2b018b21011197e1484@cddeb7006d914716e2728000746a0b23
",

"content": ""

}

OCP Image Signing

2019-05-03 Thread Grace Thompson


We'd like to implement image signing for our imagestreams. We are unable to use 
`atomic cli` or skopeo to sign the images since we support other OS's and not 
just rpm based distros. 

There seems to be a way to write signatures using the registry API as written 
here:

https://docs.openshift.com/container-platform/3.9/admin_guide/image_signatures.html#accessing-image-signatures-using-registry-api


My question is about the signature.json payload. How is this file generated? Do 
we still need to sign the images first using `atomic cli` or skopeo? Is there a 
more generic way of signing the image streams?  

{

"version": 2,

"type": "atomic",

"name": 
"sha256:4028782c08eae4a8c9a28bf661c0a8d1c2fc8e19dbaae2b018b21011197e1484@cddeb7006d914716e2728000746a0b23",

"content": ""

}


___
users mailing list
users@lists.openshift.redhat.com
http://lists.openshift.redhat.com/openshiftmm/listinfo/users

Re: OCP Image Signing

Re: OCP Image Signing

OCP Image Signing

3 matches

Site Navigation

Mail list logo

Footer information