[Podman] Re: image signing

Hi Scott, I will open an issue in the next days just trying to collect some more info first. On 5/13/20 2:51 AM, Scott McCarty wrote: > Hendrik, >      You might also think about filing a GitHub issue to capture it > publicly! > > Best Regards > Scott M > > On Tue, May 12, 2020 at 8:50 PM Scott McCarty <smccarty(a)redhat.com > <mailto:smccarty@redhat.com>> wrote: > > Hendrik, >  Thank you for helping me get my brain around this potential > feature. We very much appreciate these kinds of ideas. Currently, > we are working heavily on the Podman API V2, but I have captured > this as a backlogged feature that we will discuss in upcoming > planning sessions. I've also captured this thread to come back to > it and update when we get a chance to discuss and think about it > further. > > Best Regards > Scott M > > On Mon, May 11, 2020 at 5:25 PM Hendrik Haddorp > <hendrik.haddorp(a)gmx.net <mailto:hendrik.haddorp@gmx.net>> wrote: > > Hi Scott, > > we would like to sign images using an HSM and those provide > PKCS#11 > (https://www.ibm.com/security/cryptocards/pciecc/overview, > https://www.yubico.com/product/yubihsm-2, > https://www.nitrokey.com/#comparison) and there does not seem > to be any proper connection from that to the OpenPGP world. > The only thing I found might be > https://github.com/alonbl/gnupg-pkcs11-scd and that looks > also a bit limited and dated. I'm currently especially > interested in a way to use that IBM crypto card. A relatively > easy solution might be to just store the signature hash in > the signature file. To verify that it seem to be enough to > something like "openssl dgst -sha256 -verify public.pem > -signature manifest.sig manifest.json". My understanding so > far is that this is actually a PKCS#1 hash calculation. > Anyhow if I could get podman doing that openssl call instead > of openpgp things would be working for me. > > regards, > Hendrik > > On 11.05.2020 18:38, Scott McCarty wrote: >> Hendrik, >>    That's all that's supported today. Do you have any other >> tools you would be looking for? >> >> Best Regards >> Scott M >> >> On Wed, May 6, 2020 at 3:15 AM Hendrik Haddorp >> <hendrik.haddorp(a)gmx.net <mailto:hendrik.haddorp@gmx.net>> >> wrote: >> >> Hi, >> >> is OpenPGP the only supported image signing open >> supported by podman / >> skopeo or are there other options? Using OpenGPG works >> quite fine for me >> so far but in the end we are trying to sign an image >> using an IBM 4765 >> crypto card and so far have not figured out how this can >> play together. >> >> thanks, >> Hendrk >> _______________________________________________ >> Podman mailing list -- podman(a)lists.podman.io >> <mailto:podman@lists.podman.io> >> To unsubscribe send an email to >> podman-leave(a)lists.podman.io >> <mailto:podman-leave@lists.podman.io> >> >> >> >> -- >> -- >> Moving Wordpress, Mediawiki and Request Tracker into containers:http://crunchtools.com/a-hackers-guide-to-moving-linux-service... >> -- >> Scott McCarty Product Management - Containers, Red Hat >> Enterprise Linux & OpenShift Email: smccarty(a)redhat.com >> <mailto:smccarty@redhat.com> Phone: 312-660-3535 Cell: >> 330-807-1043 Web: http://crunchtools.com >> Using Azure Pipelines with Red Hat Universal Base Image and Quay.io:https://red.ht/2TvYo3Y > > > > -- > > -- > > Moving Wordpress, Mediawiki and Request Tracker into containers:http://crunchtools.com/a-hackers-guide-to-moving-linux-service... > > -- > > Scott McCarty Product Management - Containers, Red Hat Enterprise > Linux & OpenShift Email: smccarty(a)redhat.com > <mailto:smccarty@redhat.com> Phone: 312-660-3535 Cell: > 330-807-1043 Web: http://crunchtools.com > > Using Azure Pipelines with Red Hat Universal Base Image and Quay.io:https://red.ht/2TvYo3Y > > > > -- > -- > Moving Wordpress, Mediawiki and Request Tracker into containers:http://crunchtools.com/a-hackers-guide-to-moving-linux-service... > -- > Scott McCarty Product Management - Containers, Red Hat Enterprise > Linux & OpenShift Email: smccarty(a)redhat.com > <mailto:smccarty@redhat.com> Phone: 312-660-3535 Cell: 330-807-1043 > Web: http://crunchtools.com > Using Azure Pipelines with Red Hat Universal Base Image and Quay.io:https://red.ht/2TvYo3Y