[Podman] Re: image signing

Hendrik, Thank you for capturing this. We really appreciate it. I've added it to our backlog to discuss at our next planning meeting. I also tagged Mitr (security ninja) in to take a look. Best Regards Scott M On Mon, May 18, 2020 at 6:23 AM Hendrik Haddorp <hendrik.haddorp(a)gmx.net&gt; wrote: > I opened an issue for this now: > https://github.com/containers/libpod/issues/6259 > > On 5/13/20 5:08 PM, Hendrik Haddorp wrote: > > Hi Scott, I will open an issue in the next days just trying to collect > some more info first. > > On 5/13/20 2:51 AM, Scott McCarty wrote: > > Hendrik, > You might also think about filing a GitHub issue to capture it > publicly! > > Best Regards > Scott M > > On Tue, May 12, 2020 at 8:50 PM Scott McCarty <smccarty(a)redhat.com&gt; > wrote: > >> Hendrik, >> Thank you for helping me get my brain around this potential >> feature. We very much appreciate these kinds of ideas. Currently, we are >> working heavily on the Podman API V2, but I have captured this as a >> backlogged feature that we will discuss in upcoming planning sessions. I've >> also captured this thread to come back to it and update when we get a >> chance to discuss and think about it further. >> >> Best Regards >> Scott M >> >> On Mon, May 11, 2020 at 5:25 PM Hendrik Haddorp <hendrik.haddorp(a)gmx.net&gt; >> wrote: >> >>> Hi Scott, >>> >>> we would like to sign images using an HSM and those provide PKCS#11 ( >>> https://www.ibm.com/security/cryptocards/pciecc/overview, >>> https://www.yubico.com/product/yubihsm-2, >>> https://www.nitrokey.com/#comparison) and there does not seem to be >>> any proper connection from that to the OpenPGP world. The only thing I >>> found might be https://github.com/alonbl/gnupg-pkcs11-scd and that >>> looks also a bit limited and dated. I'm currently especially interested in >>> a way to use that IBM crypto card. A relatively easy solution might be to >>> just store the signature hash in the signature file. To verify that it seem >>> to be enough to something like "openssl dgst -sha256 -verify public.pem >>> -signature manifest.sig manifest.json". My understanding so far is that >>> this is actually a PKCS#1 hash calculation. Anyhow if I could get podman >>> doing that openssl call instead of openpgp things would be working for me. >>> >>> regards, >>> Hendrik >>> >>> On 11.05.2020 18:38, Scott McCarty wrote: >>> >>> Hendrik, >>> That's all that's supported today. Do you have any other tools you >>> would be looking for? >>> >>> Best Regards >>> Scott M >>> >>> On Wed, May 6, 2020 at 3:15 AM Hendrik Haddorp <hendrik.haddorp(a)gmx.net&gt; >>> wrote: >>> >>>> Hi, >>>> >>>> is OpenPGP the only supported image signing open supported by podman / >>>> skopeo or are there other options? Using OpenGPG works quite fine for >>>> me >>>> so far but in the end we are trying to sign an image using an IBM 4765 >>>> crypto card and so far have not figured out how this can play together. >>>> >>>> thanks, >>>> Hendrk >>>> _______________________________________________ >>>> Podman mailing list -- podman(a)lists.podman.io >>>> To unsubscribe send an email to podman-leave(a)lists.podman.io >>>> >>> >>> >>> -- >>> >>> -- >>> >>> Moving Wordpress, Mediawiki and Request Tracker into containers: http://crunchtools.com/a-hackers-guide-to-moving-linux-services-into-cont... >>> >>> -- >>> >>> Scott McCarty >>> Product Management - Containers, Red Hat Enterprise Linux & OpenShift >>> Email: smccarty(a)redhat.com >>> Phone: 312-660-3535 >>> Cell: 330-807-1043 >>> Web: http://crunchtools.com >>> >>> Using Azure Pipelines with Red Hat Universal Base Image and Quay.io: https://red.ht/2TvYo3Y >>> >>> >>> >> >> -- >> >> -- >> >> Moving Wordpress, Mediawiki and Request Tracker into containers: http://crunchtools.com/a-hackers-guide-to-moving-linux-services-into-cont... >> >> -- >> >> Scott McCarty >> Product Management - Containers, Red Hat Enterprise Linux & OpenShift >> Email: smccarty(a)redhat.com >> Phone: 312-660-3535 >> Cell: 330-807-1043 >> Web: http://crunchtools.com >> >> Using Azure Pipelines with Red Hat Universal Base Image and Quay.io: https://red.ht/2TvYo3Y >> >> > > -- > > -- > > Moving Wordpress, Mediawiki and Request Tracker into containers: http://crunchtools.com/a-hackers-guide-to-moving-linux-services-into-cont... > > -- > > Scott McCarty > Product Management - Containers, Red Hat Enterprise Linux & OpenShift > Email: smccarty(a)redhat.com > Phone: 312-660-3535 > Cell: 330-807-1043 > Web: http://crunchtools.com > > Using Azure Pipelines with Red Hat Universal Base Image and Quay.io: https://red.ht/2TvYo3Y > > > > -- -- Moving Wordpress, Mediawiki and Request Tracker into containers: http://crunchtools.com/a-hackers-guide-to-moving-linux-services-into-cont... -- Scott McCarty Product Management - Containers, Red Hat Enterprise Linux & OpenShift Email: smccarty(a)redhat.com Phone: 312-660-3535 Cell: 330-807-1043 Web: http://crunchtools.com Using Azure Pipelines with Red Hat Universal Base Image and Quay.io: https://red.ht/2TvYo3Y