Hendrik/All,I'm reviving this thread because we are taking a look at a cool new project called Cosign [1][2][3]. He briefly mentioned that he has a roadmap to handle key storing devices like Yubikeys and I thought about this email thread (yes, my memory is strange like that). With a little searching I found it and decided to revive it. I'm also tracking a RHEL feature which could potentially implement this.
I'd love feedback from the people on this thread. Many of you seem to have very crisp use cases around keys, know podman, and have strong opinions (which is good). Product Managers love feedback from the community :-) Thoughts?
Also feel free to continue discussion in the GitHub issue [4].
Best RegardsScott M
On Mon, May 18, 2020 at 2:28 PM Scott McCarty <smccarty@redhat.com> wrote:
Hendrik,Thank you for capturing this. We really appreciate it. I've added it to our backlog to discuss at our next planning meeting. I also tagged Mitr (security ninja) in to take a look.
Best RegardsScott M
On Mon, May 18, 2020 at 6:23 AM Hendrik Haddorp <hendrik.haddorp@gmx.net> wrote:
I opened an issue for this now: https://github.com/containers/libpod/issues/6259
On 5/13/20 5:08 PM, Hendrik Haddorp wrote:
Hi Scott, I will open an issue in the next days just trying to collect some more info first.
On 5/13/20 2:51 AM, Scott McCarty wrote:
Hendrik,You might also think about filing a GitHub issue to capture it publicly!
Best RegardsScott M
On Tue, May 12, 2020 at 8:50 PM Scott McCarty <smccarty@redhat.com> wrote:
Hendrik,Thank you for helping me get my brain around this potential feature. We very much appreciate these kinds of ideas. Currently, we are working heavily on the Podman API V2, but I have captured this as a backlogged feature that we will discuss in upcoming planning sessions. I've also captured this thread to come back to it and update when we get a chance to discuss and think about it further.
Best RegardsScott M
On Mon, May 11, 2020 at 5:25 PM Hendrik Haddorp <hendrik.haddorp@gmx.net> wrote:
Hi Scott,
we would like to sign images using an HSM and those provide PKCS#11 (https://www.ibm.com/security/cryptocards/pciecc/overview, https://www.yubico.com/product/yubihsm-2, https://www.nitrokey.com/#comparison) and there does not seem to be any proper connection from that to the OpenPGP world. The only thing I found might be https://github.com/alonbl/gnupg-pkcs11-scd and that looks also a bit limited and dated. I'm currently especially interested in a way to use that IBM crypto card. A relatively easy solution might be to just store the signature hash in the signature file. To verify that it seem to be enough to something like "openssl dgst -sha256 -verify public.pem -signature manifest.sig manifest.json". My understanding so far is that this is actually a PKCS#1 hash calculation. Anyhow if I could get podman doing that openssl call instead of openpgp things would be working for me.
regards,
Hendrik
On 11.05.2020 18:38, Scott McCarty wrote:
Hendrik,That's all that's supported today. Do you have any other tools you would be looking for?
Best RegardsScott M
On Wed, May 6, 2020 at 3:15 AM Hendrik Haddorp <hendrik.haddorp@gmx.net> wrote:
Hi,
is OpenPGP the only supported image signing open supported by podman /
skopeo or are there other options? Using OpenGPG works quite fine for me
so far but in the end we are trying to sign an image using an IBM 4765
crypto card and so far have not figured out how this can play together.
thanks,
Hendrk
_______________________________________________
Podman mailing list -- podman@lists.podman.io
To unsubscribe send an email to podman-leave@lists.podman.io
--
--Moving Wordpress, Mediawiki and Request Tracker into containers: http://crunchtools.com/a-hackers-guide-to-moving-linux-services-into-containers/--Scott McCarty Product Management - Containers, Red Hat Enterprise Linux & OpenShift Email: smccarty@redhat.com Phone: 312-660-3535 Cell: 330-807-1043 Web: http://crunchtools.comUsing Azure Pipelines with Red Hat Universal Base Image and Quay.io: https://red.ht/2TvYo3Y
--
--Moving Wordpress, Mediawiki and Request Tracker into containers: http://crunchtools.com/a-hackers-guide-to-moving-linux-services-into-containers/--Scott McCarty Product Management - Containers, Red Hat Enterprise Linux & OpenShift Email: smccarty@redhat.com Phone: 312-660-3535 Cell: 330-807-1043 Web: http://crunchtools.comUsing Azure Pipelines with Red Hat Universal Base Image and Quay.io: https://red.ht/2TvYo3Y
--
--Moving Wordpress, Mediawiki and Request Tracker into containers: http://crunchtools.com/a-hackers-guide-to-moving-linux-services-into-containers/--Scott McCarty Product Management - Containers, Red Hat Enterprise Linux & OpenShift Email: smccarty@redhat.com Phone: 312-660-3535 Cell: 330-807-1043 Web: http://crunchtools.comUsing Azure Pipelines with Red Hat Universal Base Image and Quay.io: https://red.ht/2TvYo3Y
--
--Moving Wordpress, Mediawiki and Request Tracker into containers: http://crunchtools.com/a-hackers-guide-to-moving-linux-services-into-containers/--Scott McCarty Product Management - Containers, Red Hat Enterprise Linux & OpenShift Email: smccarty@redhat.com Phone: 312-660-3535 Cell: 330-807-1043 Web: http://crunchtools.comUsing Azure Pipelines with Red Hat Universal Base Image and Quay.io: https://red.ht/2TvYo3Y
--
--18 ways to differentiate open source products from upstream suppliers: https://opensource.com/article/21/2/differentiating-products-upstream-suppliers --Scott McCarty Product Management - Containers, Red Hat Enterprise Linux & OpenShift Email: smccarty@redhat.com Phone: 312-660-3535 Cell: 330-807-1043 Web: http://crunchtools.com
_______________________________________________ Podman mailing list -- podman@lists.podman.io To unsubscribe send an email to podman-leave@lists.podman.io