Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[question] use cosign for containerImages #14

Open
curx opened this issue Aug 7, 2022 · 1 comment
Open

[question] use cosign for containerImages #14

curx opened this issue Aug 7, 2022 · 1 comment

Comments

@curx
Copy link

curx commented Aug 7, 2022

Since the cosign can be used to verify container images are there any plans to do so and provide a cosign public key for validation?
@ralflang
Copy link
Contributor

ralflang commented Aug 8, 2022

Just to ensure we're talking about the same thing: https://blog.sigstore.dev/cosign-image-signatures-77bab238a93 this, right?

It does make sense to introduce something like that but I think we should first improve our naming and tagging, including the supporting pipeline. So far we only maintain a latest-greatest tag for each different flavour/dimension of the image

  • Base OS and PHP Version openSUSE 15.3 / PHP 7.4 vs openSUSE Tumbleweed / PHP 8.1
  • Image content (base install, groupware or groupware with webmail)
  • Runtime: cli, apache, fpm (tbd)

We should add some logic to keep tags for at least one "known good" and recent builds. And these should be signed.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@ralflang @curx