feat: Add `trust` command to update `policy.json`
Opened this issue · 3 comments
Currently we require users to rebase to an unsigned image before rebasing yet again to the same image as signed. This limitation is due to the fact that we need the cosign public key and an updated policy.json in order to properly trust the image which would only exist in the image. Now that we have a CLI tool that is installed in all images created by it, we have the ability to pull that information and update the user's policy.json as needed.
Information for the source of the image is stored in the label org.opencontainers.image.source. We can use that information to get the cosign.pub file and use that to verify. After we verify the image, we can then update the policy.json and store the public key somewhere. I'm thinking /etc/pki/containers and set the filename to a hash of the file to keep uniqueness.
Can we guarantee that the cosign.pub will exist at a specific place in the repo, or is there a label we could add that would point directly to it?
Can we guarantee that the
cosign.pubwill exist at a specific place in the repo, or is there a label we could add that would point directly to it?
I was planning on assuming that it would be in the root of the project, but adding a label or looking for an existing standard would help.
There doesn't seem to be a standard. https://github.com/opencontainers/image-spec/blob/main/annotations.md#pre-defined-annotation-keys
Keep in mind that the key fetching from the source repo would have to happen directly through git to support other forges than GitHub.