Description
What would you like to be added?
The signature verification workflow involves multiple parties that Ratify needs to interact with. In the context of the Notary Project signature, Ratify interacts with various entities to complete the verification process:
-
Registry Interaction: Ratify communicates with an OCI Registry to fetch signatures and descriptors associated with the corresponding OCI artifact (for example, a container image).
-
KMS Interaction: Ratify may also need to interact with a Key Management Service (KMS) to retrieve certificates for creating trust stores to validate signatures.
During the signature verification process, Ratify performs the following tasks by default.
-
Revocation Checking: Ratify checks for certificate revocation by either contacting an Online Certificate Status Protocol (OCSP) responder or fetching Certificate Revocation Lists (CRLs) from a server.
-
Timestamp Countersignature Verification: If timestamp countersignatures are involved, Ratify again contacts the OCSP responder or retrieves CRLs to verify their revocation status.
However, there are challenges. As Ratify acts as a client, it sends outbound messages to external servers, which can lead to no response or delays. These issues impact the overall signature verification time. For instance, if Gatekeepers from various vendors have specific time requirements for validating webhooks, Ratify might fail to respond in time, resulting in policy failures and blocked image deployments (especially if the policy effect is DENY). Even if there is no requirement on webhook validating time, if it takes too long time to complete a webhook validating time, it will lead to performance issue and bad users experience, for example, it may take too long time to deploy an application in K8s.
To address this, we need to explore ways to reduce client-server interaction time, error handling if no responses or delays from servers, error handling if there are specific time requirements from Gatekeepers by different vendors. The goal is to enhance Ratify's responsiveness to validating webhooks to provide quick and accurate responses and improve the overall policy control experience for users.
Anything else you would like to add?
Besides signature verification, there are other types of artifact verifications, such as SBOM or Vulnerability reports, which may be discussed together for a unified solution.
Are you willing to submit PRs to contribute to this feature?
- Yes, I am willing to implement it.
Activity