-
Notifications
You must be signed in to change notification settings - Fork 98
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Support Cosign Image signature verification with KMS #360
Draft
Xynnn007
wants to merge
5
commits into
confidential-containers:main
Choose a base branch
from
Xynnn007:feat-cdh-kms-pubkey
base: main
Could not load branches
Branch not found: {{ refName }}
Loading
Could not load tags
Nothing to show
Loading
Are you sure you want to change the base?
Some commits from the old base branch may be removed from the timeline,
and old review comments may become outdated.
Draft
Support Cosign Image signature verification with KMS #360
Xynnn007
wants to merge
5
commits into
confidential-containers:main
from
Xynnn007:feat-cdh-kms-pubkey
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
10 tasks
Xynnn007
force-pushed
the
feat-cdh-kms-pubkey
branch
4 times, most recently
from
September 20, 2023 03:28
2106530
to
2a62292
Compare
Xynnn007
force-pushed
the
feat-cdh-kms-pubkey
branch
2 times, most recently
from
November 16, 2023 06:45
27a7db1
to
153e96a
Compare
Xynnn007
requested review from
sameo,
jiangliu,
arronwy,
lumjjb and
jialez0
as code owners
November 16, 2023 06:46
Xynnn007
commented
Nov 16, 2023
@@ -93,6 +93,9 @@ encryption = ["ocicrypt-rs/block-cipher"] | |||
encryption-ring = ["ocicrypt-rs/block-cipher-ring", "encryption"] | |||
encryption-openssl = ["ocicrypt-rs/block-cipher-openssl", "encryption"] | |||
|
|||
# Get needed image verification keys from Confidential Data Hub | |||
confidential-data-hub = ["dep:ttrpc", "dep:protobuf"] |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Let me add tests for this feature in later PRs.
Xynnn007
force-pushed
the
feat-cdh-kms-pubkey
branch
from
December 6, 2023 08:40
153e96a
to
4415e7a
Compare
1570005763
approved these changes
Dec 11, 2023
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Aside from my limited familiarity with cosign, the other parts generally seem quite good.
Xynnn007
force-pushed
the
feat-cdh-kms-pubkey
branch
2 times, most recently
from
December 15, 2023 03:01
6bf1766
to
2faab59
Compare
Also impl PubkeyProvider for KBS Signed-off-by: Xynnn007 <[email protected]>
Signed-off-by: Xynnn007 <[email protected]>
Signed-off-by: Xynnn007 <[email protected]>
Confidential Data Hub now supports to get public key from the different KMS services. The public keys are for signature verification. As currently not all non-attestation functionalities of AA are moved to CDH. So `confidential-data-hub` is a workaround feature to make the code compilable without breaking current logic. After confidential-containers#412 is resolved, we should abandon the `confidential-data-hub` feature. Signed-off-by: Xynnn007 <[email protected]>
Signed-off-by: Xynnn007 <[email protected]>
Xynnn007
force-pushed
the
feat-cdh-kms-pubkey
branch
from
December 15, 2023 06:55
2faab59
to
d041954
Compare
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR mainly add the support to verify image signature with public keys provided by KMS.
image-rs
can get cosign verification public key from CDH when bothcosign
andconfidential-data-hub
feature are enabled