Proposal for harbor cosign signature verification #234
Conversation
There was a problem hiding this comment.
🥁
Thank you for your proposal, this looks indeed valuable.
There are a few edge cases and considerations we need to consider.
Signatures and Image proxying and replication. The proposal should consider and support that use case.
Separation of Ownership and Operation should be reflected in the application configuration. In our user base, Harbor instance are set up by ops teams but used by devs or Platform teams. To take this into account, setting and configuration should be doable on the UI level, and not via env var as they are used for base application configuration.
|
@karaguo I would also like to invite you to present your proposal at the next community meeting. If that doesn't work, I'll suggest you can also do a 15 min recording, that we can watch during the community meeting |
|
@karaguo, could you contribute to the development of this feature? |
|
@Vad1mo Thanks for the comments! Sgtm! I can work on a brief demo recording and follow up with the review process to kick off |
To add a proposal for cosign signature verification in Harbor Signed-off-by: Kara Guo <[email protected]>
karaguo
force-pushed
the
cosign-verify-proposal
branch
from
4e688df
to
a6fa707
Compare
| To iterate over all trust anchor entities, signatures are only verified upon the list. The artifact will pass verification if any trust anchor entity can verify the artifact | ||
|
|
||
| ## Non-Goals | ||
| * Cosign strict signature verification status shown at UI |
There was a problem hiding this comment.
Why not? We could have 3 types of Icons, Red ❌, Orange(Checked), Green (Checked)✅
The current green becomes the new orange checked, and the green checked is the new strict
| ``` | ||
|
|
||
| #### Option 2 (preferred) | ||
| Another option is to use project schema. |
There was a problem hiding this comment.
Would it be possible to have a System wide CA setting that can be overwritten or extended with project-specific keys? Can you address that?
There was a problem hiding this comment.
Can you also explicitly mention this way can be used via the UI or API? It is not so clear.
| * Content trust cosign middleware: refers to the existing signature verification to check whether the corresponding signature exists or not. | ||
| * Content trust strict cosign middleware: refers to the new proposed layer to strictly verify whether the manifest is signed, and signed by trusted entities. | ||
|
|
||
| ### How to enable cosign strict verification |
There was a problem hiding this comment.
For design, and flow verification, I would also suggest attaching some UI mockups of system-wide and project specific configuration options.
|
Generally, we don't plan to include the signature validation as Harbor's current goal is to focus on OCI artifact management, rather than becoming a comprehensive solution. And we can rely on other service or client to handle the validation. |
To add a proposal for cosign signature verification in Harbor