Is there a generic container signature validation method?
Question
Does anyone have a good solution for a generic container signature verification? From what I've seen (please correct any mistakes)
- Docker Hub uses signatures based on "Notary", that needs docker
- RedHat use their own signing mechanism, that needs podman
As I can't install both podman and docker (containerd.io and runc have a conflict in RHEL, maybe a different host would allow it?) there seems to be no way to validate signatures that works for both sources.
Even if I could install them both I'd need to parse the dockerfile, work out where the source image was, do a docker/podman pull on the images and then do the build if no pulls fail. (Which feels likely to fail!)
For example: a build stage used a container from docker hub (eg maven) and run stage from redhat (eg registry.access.redhat.com/ubi8).
I really want a generic "validate the container signature at this URL" function that I can drop into a CICD tool. Some teams like using the RH registry, some Docker Hub, some mix and match.
Any good ideas? Obvious solutions I missed?
1 answers
solution1
0 2022-08-17 16:47:18
look at cosign https://github.com/sigstore/cosign
$ cosign verify --key cosign.pub dlorenc/demo
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.