-
Notifications
You must be signed in to change notification settings - Fork 552
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
RFE: Support configuration to map image references to different sigstore deployments #3873
Comments
How do you see this being consumed by a verifier? A verifier doesn’t know the URL of the signing service in most cases because verification should be entirely offline. In that case, a verifier would need to explicitly note which TUF environment they trust, which you could also do by reinitializing the local TUF repo. One way this could be implemented is merging all targets across TUF repos, but this gets a bit complex with verification policies - do you allow verification with targets across multiple TUF repos for a single verification? Also related, there is a TUF proposal, https://github.com/theupdateframework/taps/blob/master/tap4.md, which is related to this idea of searching across repos. If you wanted to explore this more, could you make a post on the clients slack channel or open an issue in Sigstore/sig-clients? Cc @jku @kommendorkapten if yall have thoughts on this as well |
Are you aware of SigningConfig that was recently added to protobuf specs: https://github.com/sigstore/protobuf-specs/blob/main/protos/sigstore_trustroot.proto#L150 SigningConfig seems to be solving parts of this ("how can the user configure half a dozen urls? How do we ensure this is not a complete usability mess that will lead to broken client configurations?"). The idea as I see it is:
Comparing SigningConfig and your idea:
TAP4 is about using multiple TUF repositories at the same time... but we really only want to download the correct trusted_root.json for this situation: you don't need to use multiple repositories at the same time for that. User just needs a way to choose the repository at runtime |
Agree with @jku's assessment regarding TAP4. "An AND relation" is the opposite of what I'm looking for here. I raised this in the cosign channel a few months back and I was told that The current proposal is very specific to container images, but we can certainly make it more flexible. I'm just not that familiar with other artifact types. If this all seems reasonable, I can create a new issue in Thoughts? |
Description
There are cases where using the public Sigstore deployment is not an option, e.g. privacy concerns. Some organizations may opt to provide their own Sigstore deployment. Verifiers must then choose which Sigstore deployment to use when verifying an image,
cosign initialize ...
.Although that workflow works ok, it becomes increasingly difficult to use as the number of Sigstore deployment increases.
I propose a solution that encodes which deployment to be used based on configuration. For example:
Before performing a verification, cosign (and friends) would consult this file to initialize the tuf root as needed. Of course, this would have to be done in a concurrency-safe manner.
The text was updated successfully, but these errors were encountered: