-
Story
-
Resolution: Unresolved
-
Normal
-
None
-
None
-
None
I’d like to propose that images hosted on Nexus are signed - this would make it possible to verify if downloaded image is what user wanted to download.
It would be good if the signing solution would support adding additional artifacts (like SBoMs)
Two solutions mentioned on SECCOM weekly that support this:
https://github.com/notaryproject/notary
https://github.com/sigstore/cosign