[App CR] Support signature verification for fetched artefacts using Sigstore #1078
Labels
carvel-accepted
This issue should be considered for future work and that the triage process has been completed
enhancement
This issue is a feature request
Comments
ThomasVitale
added
carvel-triage
|
Yes! We have been thinking about this for a while, and it's coming up as a strong 'yes please' from the community. As you mentioned it's got to be implemented in imgpkg first, so I will 'untriage' this issue, and leave it open so we can update it when this work is scheduled, thanks as always @ThomasVitale ! |
neil-hickey
added
carvel-accepted
6 tasks
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Describe the problem/challenge you have
When fetching artefacts as part of the App CR, it would be great if it was possible to verify their signature in advance (Git commits, OCI images...). This could be added once vendir gets the Sigstore integration as per carvel-dev/vendir#92.
There's a similar issue about doing the same, but only for Git commits when using GPG: #6.
Vote on this request
This is an invitation to the community to vote on issues, to help us prioritize our backlog. Use the "smiley face" up to the right of this comment to vote.
👍 "I would like to see this addressed as soon as possible"
👎 "There are other more important things to focus on right now"
We are also happy to receive and review Pull Requests if you want to help working on this issue.
The text was updated successfully, but these errors were encountered: