-
Notifications
You must be signed in to change notification settings - Fork 776
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Support github artifact attestation #2393
Comments
Created containers/image#2509 |
Thanks for reaching out. You’re right that timestamp authorities are not currently supported — and they should be, they fit the actual use case much better than Rekor. And that does need to happen in c/image. Note that c/image etc. support sigstore signatures with a specific payload; I’m not immediately sure that a SBOM attestation is accepted. That might require more features to be added… we probably don’t want to add a generic rules engine over a SBOM to the low-level image policy feature set, but that’s a weak opinion and something that might change long-term. |
A friendly reminder that this issue had no activity for 30 days. |
Github recently launched https://github.blog/changelog/2024-06-25-artifact-attestations-is-generally-available/, which builds on sigstores https://github.com/sigstore/fulcio, https://github.com/sigstore/rekor and https://github.com/sigstore/timestamp-authority
For public repos - there isn't really any concern here, as artifact attestations wraps the public good sigstore instances of fulcio and rekor.
ie. the following sigstore config would work to configure signing.
I'm more interested for supporting github artifact attestations to ensure that we can use the private path supported by github. Using their own fulcio instance, and timestamp authority for witnessing (note: private repos don't use rekor) which solves having to host your own instances for private repositories that we don't want to leak details about.
ie. the following instances:
https://fulcio.githubapp.com
https://timestamp.githubapp.com
which would need supported in a config such as:
NOTE: timestampAuthorityURL is not a supported field today in containers-sigstore-signing-params.yaml.5 which means this is likely an issue to be created against https://github.com/containers/image as well.
The text was updated successfully, but these errors were encountered: