Uploaded image for project: 'IT: Release Engineering'
  1. IT: Release Engineering
  2. RELENG-4208

Provide a way of verifying downloaded container images hosted on Nexus.

Issue XMLXMLWordPrintable

    • Icon: Story Story
    • Resolution: Unresolved
    • Icon: Normal Normal
    • Q4 2023 RE Operations
    • None
    • None
    • None

      I’d like to propose that images hosted on Nexus are signed - this would make it possible to verify if downloaded image is what user wanted to download.

      It would be good if the signing solution would support adding additional artifacts (like SBoMs)

      Two solutions mentioned on SECCOM weekly that support this:
      https://github.com/notaryproject/notary
      https://github.com/sigstore/cosign

              kevin.sandi Kevin Sandi
              kevin.sandi Kevin Sandi
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

                Created:
                Updated: