8:50 p.m.
Hendrik,
Thank you for helping me get my brain around this potential feature.
We very much appreciate these kinds of ideas. Currently, we are working
heavily on the Podman API V2, but I have captured this as a backlogged
feature that we will discuss in upcoming planning sessions. I've also
captured this thread to come back to it and update when we get a chance to
discuss and think about it further.
Best Regards
Scott M
On Mon, May 11, 2020 at 5:25 PM Hendrik Haddorp <hendrik.haddorp(a)gmx.net>
wrote:
Hi Scott,
we would like to sign images using an HSM and those provide PKCS#11 (
https://www.ibm.com/security/cryptocards/pciecc/overview,
https://www.yubico.com/product/yubihsm-2,
https://www.nitrokey.com/#comparison) and there does not seem to be any
proper connection from that to the OpenPGP world. The only thing I found
might be https://github.com/alonbl/gnupg-pkcs11-scd and that looks also a
bit limited and dated. I'm currently especially interested in a way to use
that IBM crypto card. A relatively easy solution might be to just store the
signature hash in the signature file. To verify that it seem to be enough
to something like "openssl dgst -sha256 -verify public.pem -signature
manifest.sig manifest.json". My understanding so far is that this is
actually a PKCS#1 hash calculation. Anyhow if I could get podman doing that
openssl call instead of openpgp things would be working for me.
regards,
Hendrik
On 11.05.2020 18:38, Scott McCarty wrote:
Hendrik,
That's all that's supported today. Do you have any other tools you
would be looking for?
Best Regards
Scott M
On Wed, May 6, 2020 at 3:15 AM Hendrik Haddorp <hendrik.haddorp(a)gmx.net>
wrote:
> Hi,
>
> is OpenPGP the only supported image signing open supported by podman /
> skopeo or are there other options? Using OpenGPG works quite fine for me
> so far but in the end we are trying to sign an image using an IBM 4765
> crypto card and so far have not figured out how this can play together.
>
> thanks,
> Hendrk
> _______________________________________________
> Podman mailing list -- podman(a)lists.podman.io
> To unsubscribe send an email to podman-leave(a)lists.podman.io
>
--
--
Moving Wordpress, Mediawiki and Request Tracker into containers:
http://crunchtools.com/a-hackers-guide-to-moving-linux-services-into-cont...
--
Scott McCarty
Product Management - Containers, Red Hat Enterprise Linux & OpenShift
Email: smccarty(a)redhat.com
Phone: 312-660-3535
Cell: 330-807-1043
Web: http://crunchtools.com
Using Azure Pipelines with Red Hat Universal Base Image and Quay.io:
https://red.ht/2TvYo3Y
--
--
Moving Wordpress, Mediawiki and Request Tracker into containers:
http://crunchtools.com/a-hackers-guide-to-moving-linux-services-into-cont...
--
Scott McCarty
Product Management - Containers, Red Hat Enterprise Linux & OpenShift
Email: smccarty(a)redhat.com
Phone: 312-660-3535
Cell: 330-807-1043
Web: http://crunchtools.com
Using Azure Pipelines with Red Hat Universal Base Image and Quay.io:
https://red.ht/2TvYo3Y