Image signing

Question

Image signing

CalebSchwartz opened this issue a year ago · 5 comments

Hi,

Would this team be responsible for signing the image? We have an admission controller finding stating that the image is not signed and utilizing the docker trust inspect that appears accurate.

docker trust inspect signalfx/splunk-otel-collector:0.77.0-amd64
[]
no signatures or cannot access signalfx/splunk-otel-collector:0.77.0-amd64

Answer 1 · 2023-06-14T23:16:29.000Z

We can look into this. Our docker image is typically hosted on quay.io, so the whole image URI is quay.io/signalfx/splunk-otel-collector:0.78.1.

Answer 2 · 2023-06-15T20:58:47.000Z

This ends up having the same result since the signature needs to happen during the build pipeline either as part of the push or prior to pushing.

we'd also request the public key be available somewhere so we can load it into the controller to validate.

Answer 3 · 2023-06-29T01:21:33.000Z

This is not something we'd be looking to do at this time. Please discuss with your account representative and file a Splunk idea to follow up on this request.

Answer 4 · 2023-06-29T01:32:25.000Z

is there an explanation as to why? this seems like an easy security addition to validate the integrity of the image that a client would including in their environment. There should not be any regression testing needed as its just adding a notary signature just like you would expect to add to a website certificate authority.

Answer 5 · 2023-06-29T01:39:00.000Z

Setting this up requires us to manage the signing architecture, such as managing the private key effectively, which requires a bit of work internally. If you want this, it's best to work with us through Splunk ideas to raise this.