Ablageort im Repository (GitLab): Projekt46-Signature PoC
Diskussionsforum (Discourse): Projekt46-Signature PoC
Readme: Projekt46-Signature PoC
Beschreibung des Projektes:
PublicCode.YML: anzeigen
OSS Compliance: anzeigen
Q2 / 2022:
We are now entering the second phase for the configurations. We've decided to go with the following
configuration in direction production readyness:
Though we are sunsetting the old configs. There are accessible with the git-tag: `Finish-Phase-I`
What are we doing?
Install connaisseur on the cluster in the namespace `infra-connaisseur` via helm and setting the validation policies to: `validate`. This means that you have to add the label `securesystemsengineering.connaisseur/webhook=validate` to enable connaisseur validation. This should be made for every normal user, project, develop namespace, but not for the system namespaces in the first phase.
Connaisseur installation:
In CoSign the signatures are assets beside the OCI images and don't require a special service. So you will see strange assets beside your container in harbor for example.
I've made a small script make-cosign-key.sh to help your generate different keys. Just invoke it with your key name: `./make-cosign-key.sh mykey`
Sign: `cosign sign -key cosign-certs/master.key reg.pflaeging.net/sig-poc/pflaeging-net-ubi-debug-cosign:latest`
Verify:
```shell
cosign verify -key cosign-certs/master.pub reg.pflaeging.net/sig-poc/pflaeging-net-ubi-debug-cosign:latest | jq .
```
Output:
```JSON
{
"critical": {
"identity": {
"docker-reference": "reg.pflaeging.net/sig-poc/pflaeging-net-ubi-debug-cosign"
},
"image": {
"docker-manifest-digest": "sha256:ed984c3a4e006af0ceffe1b091198acfa7839e60b9eb53af5739674f0f8b5d3e"
},
"type": "cosign container image signature"
},
"optional": null
}
```
TBD (pflaeging 2022-07-04)