[Podman] Re: image signing

I opened an issue for this now: https://github.com/containers/libpod/issues/6259 On 5/13/20 5:08 PM, Hendrik Haddorp wrote: Hi Scott, I will open an issue in the next days just trying to collect some more info first. On 5/13/20 2:51 AM, Scott McCarty wrote: Hendrik, You might also think about filing a GitHub issue to capture it publicly! Best Regards Scott M On Tue, May 12, 2020 at 8:50 PM Scott McCarty <smccarty(a)redhat.com&gt; wrote: > Hendrik, > Thank you for helping me get my brain around this potential feature. > We very much appreciate these kinds of ideas. Currently, we are working > heavily on the Podman API V2, but I have captured this as a backlogged > feature that we will discuss in upcoming planning sessions. I've also > captured this thread to come back to it and update when we get a chance to > discuss and think about it further. > > Best Regards > Scott M > > On Mon, May 11, 2020 at 5:25 PM Hendrik Haddorp <hendrik.haddorp(a)gmx.net&gt; > wrote: > >> Hi Scott, >> >> we would like to sign images using an HSM and those provide PKCS#11 ( >> https://www.ibm.com/security/cryptocards/pciecc/overview, >> https://www.yubico.com/product/yubihsm-2, >> https://www.nitrokey.com/#comparison) and there does not seem to be any >> proper connection from that to the OpenPGP world. The only thing I found >> might be https://github.com/alonbl/gnupg-pkcs11-scd and that looks also >> a bit limited and dated. I'm currently especially interested in a way to >> use that IBM crypto card. A relatively easy solution might be to just store >> the signature hash in the signature file. To verify that it seem to be >> enough to something like "openssl dgst -sha256 -verify public.pem >> -signature manifest.sig manifest.json". My understanding so far is that >> this is actually a PKCS#1 hash calculation. Anyhow if I could get podman >> doing that openssl call instead of openpgp things would be working for me. >> >> regards, >> Hendrik >> >> On 11.05.2020 18:38, Scott McCarty wrote: >> >> Hendrik, >> That's all that's supported today. Do you have any other tools you >> would be looking for? >> >> Best Regards >> Scott M >> >> On Wed, May 6, 2020 at 3:15 AM Hendrik Haddorp <hendrik.haddorp(a)gmx.net&gt; >> wrote: >> >>> Hi, >>> >>> is OpenPGP the only supported image signing open supported by podman / >>> skopeo or are there other options? Using OpenGPG works quite fine for me >>> so far but in the end we are trying to sign an image using an IBM 4765 >>> crypto card and so far have not figured out how this can play together. >>> >>> thanks, >>> Hendrk >>> _______________________________________________ >>> Podman mailing list -- podman(a)lists.podman.io >>> To unsubscribe send an email to podman-leave(a)lists.podman.io >>> >> >> >> -- >> >> -- >> >> Moving Wordpress, Mediawiki and Request Tracker into containers: http://crunchtools.com/a-hackers-guide-to-moving-linux-services-into-cont... >> >> -- >> >> Scott McCarty >> Product Management - Containers, Red Hat Enterprise Linux & OpenShift >> Email: smccarty(a)redhat.com >> Phone: 312-660-3535 >> Cell: 330-807-1043 >> Web: http://crunchtools.com >> >> Using Azure Pipelines with Red Hat Universal Base Image and Quay.io: https://red.ht/2TvYo3Y >> >> >> > > -- > > -- > > Moving Wordpress, Mediawiki and Request Tracker into containers: http://crunchtools.com/a-hackers-guide-to-moving-linux-services-into-cont... > > -- > > Scott McCarty > Product Management - Containers, Red Hat Enterprise Linux & OpenShift > Email: smccarty(a)redhat.com > Phone: 312-660-3535 > Cell: 330-807-1043 > Web: http://crunchtools.com > > Using Azure Pipelines with Red Hat Universal Base Image and Quay.io: https://red.ht/2TvYo3Y > > -- -- Moving Wordpress, Mediawiki and Request Tracker into containers: http://crunchtools.com/a-hackers-guide-to-moving-linux-services-into-cont... -- Scott McCarty Product Management - Containers, Red Hat Enterprise Linux & OpenShift Email: smccarty(a)redhat.com Phone: 312-660-3535 Cell: 330-807-1043 Web: http://crunchtools.com Using Azure Pipelines with Red Hat Universal Base Image and Quay.io: https://red.ht/2TvYo3Y