Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Sign and notarize all released docker images. #739

Open
BMurri opened this issue Dec 12, 2023 · 0 comments
Open

Sign and notarize all released docker images. #739

BMurri opened this issue Dec 12, 2023 · 0 comments
Labels
CoA Priority: P2
Milestone
backlog

Comments

@BMurri
Copy link
Collaborator

BMurri commented Dec 12, 2023

Problem:
Currently we a subset of the binaries built from our repos for the two docker images we release as part of these projects (TES & CoA). Those images are linux only, and codesigning anything for that platform that is not a deployment package (such as DEB or RPM) has no practical effect and is, in fact, not required by Microsoft.

Solution:
There now exists a specification and system in place to codesign entire images, allowing containers to potentially gain all of the security advantages that codesigning affords on OSX and Windows platforms. This should become part of our build/release workflows.

Describe alternatives you've considered
Doing nothing.

Code dependencies
Will this require code changes in:

  • CoA, for new and/or existing deployments? Maybe
  • TES, for new and/or existing deployments? Maybe
  • Build pipeline? Maybe
  • Integration tests? Maybe

Additional context
https://notaryproject.dev/
Related to #478
@BMurri BMurri added this to the backlog milestone Dec 12, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
CoA Priority: P2
Projects
None yet
Milestone
backlog
Development

No branches or pull requests
1 participant
@BMurri