Comments (5)
mtrmac
commented on July 20, 2024
We’ve been somewhat discussing these things before, e.g. #25 .
I’m not sure what the best way to handle signatures for manifest lists is ATM. From a security POV, a signed manifest list implicitly authenticates the signed manifests, so, yes, a manifest signature could be accepted for the manifests listed in there.
OTOH that semantics may get messy: 1) download a manifest list 2) choose an item in the list, see the manifest digest; 3) publish/note the digest of the chosen manifest. Now, the user, given 3), can pull withmanifestlist@sha256:digestfromstep3 to refer to an individual manifest, and there is no obvious way to to from sha256:digestfromstep3 to the original manifest list (its digest, and tag, if any, are not known), so the signatures on the manifest list cannot be applied to the individual manifest. So, this would argue for attaching signatures to the individual images, not to the manifest list.
To a big extent extent all of this strongly depends on whether the tools (are there any in widespread use?) present manifest lists more as a single “fat” image or more as a directory of individually managed images; the signature UX model should be consistent with the non-signature manifest list UX model.
from image.
runcom
commented on July 20, 2024
OTOH that semantics may get messy: 1) download a manifest list 2) choose an item in the list, see the manifest digest; 3) publish/note the digest of the chosen manifest. Now, the user, given 3), can pull withmanifestlist@sha256:digestfromstep3 to refer to an individual manifest, and there is no obvious way to to from sha256:digestfromstep3 to the original manifest list (its digest, and tag, if any, are not known), so the signatures on the manifest list cannot be applied to the individual manifest. So, this would argue for attaching signatures to the individual images, not to the manifest list.
Right...
I’m not sure what the best way to handle signatures for manifest lists is ATM. From a security POV, a signed manifest list implicitly authenticates the signed manifests, so, yes, a manifest signature could be accepted for the manifests listed in there.
is #115 in line with this though for now?
from image.
mtrmac
commented on July 20, 2024
#115 is, AFAICS, OK WRT signing security.
from image.
rhatdan
commented on July 20, 2024
@mtrmac @vrothberg What is the state of this issue. It is two years old, can we close it?
from image.
mtrmac
commented on July 20, 2024
We’ve settled on signing individual images, not the manifest list itself.
from image.
Related Issues (20)
- podman search seems not to use registries.conf mirror for docker.io HOT 3
- Support copying nested image indices HOT 1
- Copies don’t set OCI1InstanceAnnotationCompressionZSTD on Zstd:chunked HOT 1
- Allow configuring a registry as http-only HOT 3
- Copy fails with "use of closed network connection" error when using a slow proxy HOT 9
- Use OCI Go constants in the OCI transport
- [doc] fix warning when generating man pages with go-md2man HOT 3
- support for url path's in registries.conf unqualified-search-registries HOT 9
- containers-policy.json: provide default config in /usr/ HOT 6
- Conversion to schema1 does not fail with Zstd layers, making it uncertain we correctly convert to OCI HOT 1
- Copies of originally-compressed images from c/storage to uncompressed destinations don’t trigger MIME type updates HOT 1
- Converting a SIF image should not require fakeroot HOT 4
- Zstd(:chunked) work tracking checklist HOT 2
- Copies with Zstd compression to schema-agnostic transports don’t trigger schema conversion HOT 2
- TemporaryDirectoryForBigFiles() can still ignore $TMPDIR HOT 3
- isManifestUnknownError fails against Harbor registries, breaking sigstore signature upload HOT 15
- Blob reuse decisions do not take into account manifest support HOT 1
- Cannot copy buildkit cache images HOT 2
- Support for structured logging (using `log/slog`) HOT 5
- proposal: Support append images into docker archive HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from image.