-
Notifications
You must be signed in to change notification settings - Fork 80
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Proposal for harbor cosign signature verification #234
base: main
Are you sure you want to change the base?
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
🥁
Thank you for your proposal, this looks indeed valuable.
There are a few edge cases and considerations we need to consider.
Signatures and Image proxying and replication. The proposal should consider and support that use case.
Separation of Ownership and Operation should be reflected in the application configuration. In our user base, Harbor instance are set up by ops teams but used by devs or Platform teams. To take this into account, setting and configuration should be doable on the UI level, and not via env var as they are used for base application configuration.
@karaguo I would also like to invite you to present your proposal at the next community meeting. If that doesn't work, I'll suggest you can also do a 15 min recording, that we can watch during the community meeting |
@karaguo, could you contribute to the development of this feature? |
@Vad1mo Thanks for the comments! Sgtm! I can work on a brief demo recording and follow up with the review process to kick off |
To add a proposal for cosign signature verification in Harbor Signed-off-by: Kara Guo <[email protected]>
4e688df
to
a6fa707
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Great progress! We are almost there. I am in favor of the proposal. Now it is about the outline and presentation of the UI/UX
To iterate over all trust anchor entities, signatures are only verified upon the list. The artifact will pass verification if any trust anchor entity can verify the artifact | ||
|
||
## Non-Goals | ||
* Cosign strict signature verification status shown at UI |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Why not? We could have 3 types of Icons, Red ❌, Orange(Checked), Green (Checked)✅
The current green becomes the new orange checked, and the green checked is the new strict
``` | ||
|
||
#### Option 2 (preferred) | ||
Another option is to use project schema. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Would it be possible to have a System wide CA setting that can be overwritten or extended with project-specific keys? Can you address that?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can you also explicitly mention this way can be used via the UI or API? It is not so clear.
* Content trust cosign middleware: refers to the existing signature verification to check whether the corresponding signature exists or not. | ||
* Content trust strict cosign middleware: refers to the new proposed layer to strictly verify whether the manifest is signed, and signed by trusted entities. | ||
|
||
### How to enable cosign strict verification |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
For design, and flow verification, I would also suggest attaching some UI mockups of system-wide and project specific configuration options.
Generally, we don't plan to include the signature validation as Harbor's current goal is to focus on OCI artifact management, rather than becoming a comprehensive solution. And we can rely on other service or client to handle the validation. |
To add a proposal for cosign signature verification in Harbor