Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Proposal for harbor cosign signature verification #234

Open
wants to merge 2 commits into
base: main
Choose a base branch
from

Conversation

karaguo
Copy link

@karaguo karaguo commented Nov 22, 2023

To add a proposal for cosign signature verification in Harbor

Copy link
Member

@Vad1mo Vad1mo left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🥁
Thank you for your proposal, this looks indeed valuable.

There are a few edge cases and considerations we need to consider.

Signatures and Image proxying and replication. The proposal should consider and support that use case.
Separation of Ownership and Operation should be reflected in the application configuration. In our user base, Harbor instance are set up by ops teams but used by devs or Platform teams. To take this into account, setting and configuration should be doable on the UI level, and not via env var as they are used for base application configuration.

@Vad1mo
Copy link
Member

Vad1mo commented Nov 22, 2023

@karaguo I would also like to invite you to present your proposal at the next community meeting.

If that doesn't work, I'll suggest you can also do a 15 min recording, that we can watch during the community meeting

@OrlinVasilev OrlinVasilev requested a review from a team November 23, 2023 07:50
@Vad1mo
Copy link
Member

Vad1mo commented Nov 28, 2023

@karaguo, could you contribute to the development of this feature?

@karaguo
Copy link
Author

karaguo commented Nov 29, 2023

@Vad1mo Thanks for the comments! Sgtm! I can work on a brief demo recording and follow up with the review process to kick off

To add a proposal for cosign signature verification in Harbor

Signed-off-by: Kara Guo <[email protected]>
@karaguo karaguo force-pushed the cosign-verify-proposal branch from 4e688df to a6fa707 Compare December 14, 2023 00:43
Copy link
Member

@Vad1mo Vad1mo left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Great progress! We are almost there. I am in favor of the proposal. Now it is about the outline and presentation of the UI/UX

To iterate over all trust anchor entities, signatures are only verified upon the list. The artifact will pass verification if any trust anchor entity can verify the artifact

## Non-Goals
* Cosign strict signature verification status shown at UI
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why not? We could have 3 types of Icons, Red ❌, Orange(Checked), Green (Checked)✅
The current green becomes the new orange checked, and the green checked is the new strict

```

#### Option 2 (preferred)
Another option is to use project schema.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Would it be possible to have a System wide CA setting that can be overwritten or extended with project-specific keys? Can you address that?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can you also explicitly mention this way can be used via the UI or API? It is not so clear.

* Content trust cosign middleware: refers to the existing signature verification to check whether the corresponding signature exists or not.
* Content trust strict cosign middleware: refers to the new proposed layer to strictly verify whether the manifest is signed, and signed by trusted entities.

### How to enable cosign strict verification
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

For design, and flow verification, I would also suggest attaching some UI mockups of system-wide and project specific configuration options.

@wy65701436
Copy link
Contributor

Generally, we don't plan to include the signature validation as Harbor's current goal is to focus on OCI artifact management, rather than becoming a comprehensive solution. And we can rely on other service or client to handle the validation.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

5 participants