Hendrik,      That's all that's supported today. Do you have any other tools you would be looking for? Best Regards Scott M On Wed, May 6, 2020 at 3:15 AM Hendrik Haddorp <hendrik.haddorp(a)gmx.net <mailto:hendrik.haddorp@gmx.net>> wrote: Hi, is OpenPGP the only supported image signing open supported by podman / skopeo or are there other options? Using OpenGPG works quite fine for me so far but in the end we are trying to sign an image using an IBM 4765 crypto card and so far have not figured out how this can play together. thanks, Hendrk _______________________________________________ Podman mailing list -- podman(a)lists.podman.io <mailto:podman@lists.podman.io> To unsubscribe send an email to podman-leave(a)lists.podman.io <mailto:podman-leave@lists.podman.io> -- -- Moving Wordpress, Mediawiki and Request Tracker into containers:http://crunchtools.com/a-hackers-guide-to-moving-linux-service... -- Scott McCarty Product Management - Containers, Red Hat Enterprise Linux & OpenShift Email: smccarty(a)redhat.com <mailto:smccarty@redhat.com> Phone: 312-660-3535 Cell: 330-807-1043 Web: http://crunchtools.com Using Azure Pipelines with Red Hat Universal Base Image and Quay.io:https://red.ht/2TvYo3Y

Hendrik, Thank you for helping me get my brain around this potential feature. We very much appreciate these kinds of ideas. Currently, we are working heavily on the Podman API V2, but I have captured this as a backlogged feature that we will discuss in upcoming planning sessions. I've also captured this thread to come back to it and update when we get a chance to discuss and think about it further. Best Regards Scott M On Mon, May 11, 2020 at 5:25 PM Hendrik Haddorp <hendrik.haddorp(a)gmx.net&gt; wrote: > Hi Scott, > > we would like to sign images using an HSM and those provide PKCS#11 ( > https://www.ibm.com/security/cryptocards/pciecc/overview, > https://www.yubico.com/product/yubihsm-2, > https://www.nitrokey.com/#comparison) and there does not seem to be any > proper connection from that to the OpenPGP world. The only thing I found > might be https://github.com/alonbl/gnupg-pkcs11-scd and that looks also > a bit limited and dated. I'm currently especially interested in a way to > use that IBM crypto card. A relatively easy solution might be to just store > the signature hash in the signature file. To verify that it seem to be > enough to something like "openssl dgst -sha256 -verify public.pem > -signature manifest.sig manifest.json". My understanding so far is that > this is actually a PKCS#1 hash calculation. Anyhow if I could get podman > doing that openssl call instead of openpgp things would be working for me. > > regards, > Hendrik > > On 11.05.2020 18:38, Scott McCarty wrote: > > Hendrik, > That's all that's supported today. Do you have any other tools you > would be looking for? > > Best Regards > Scott M > > On Wed, May 6, 2020 at 3:15 AM Hendrik Haddorp <hendrik.haddorp(a)gmx.net&gt; > wrote: > >> Hi, >> >> is OpenPGP the only supported image signing open supported by podman / >> skopeo or are there other options? Using OpenGPG works quite fine for me >> so far but in the end we are trying to sign an image using an IBM 4765 >> crypto card and so far have not figured out how this can play together. >> >> thanks, >> Hendrk >> _______________________________________________ >> Podman mailing list -- podman(a)lists.podman.io >> To unsubscribe send an email to podman-leave(a)lists.podman.io >> > > > -- > > -- > > Moving Wordpress, Mediawiki and Request Tracker into containers: http://crunchtools.com/a-hackers-guide-to-moving-linux-services-into-cont... > > -- > > Scott McCarty > Product Management - Containers, Red Hat Enterprise Linux & OpenShift > Email: smccarty(a)redhat.com > Phone: 312-660-3535 > Cell: 330-807-1043 > Web: http://crunchtools.com > > Using Azure Pipelines with Red Hat Universal Base Image and Quay.io: https://red.ht/2TvYo3Y > > > -- -- Moving Wordpress, Mediawiki and Request Tracker into containers: http://crunchtools.com/a-hackers-guide-to-moving-linux-services-into-cont... -- Scott McCarty Product Management - Containers, Red Hat Enterprise Linux & OpenShift Email: smccarty(a)redhat.com Phone: 312-660-3535 Cell: 330-807-1043 Web: http://crunchtools.com Using Azure Pipelines with Red Hat Universal Base Image and Quay.io: https://red.ht/2TvYo3Y

Hi Scott, I will open an issue in the next days just trying to collect some more info first. On 5/13/20 2:51 AM, Scott McCarty wrote: > Hendrik, >      You might also think about filing a GitHub issue to capture it > publicly! > > Best Regards > Scott M > > On Tue, May 12, 2020 at 8:50 PM Scott McCarty <smccarty(a)redhat.com > <mailto:smccarty@redhat.com>> wrote: > > Hendrik, >  Thank you for helping me get my brain around this potential > feature. We very much appreciate these kinds of ideas. Currently, > we are working heavily on the Podman API V2, but I have captured > this as a backlogged feature that we will discuss in upcoming > planning sessions. I've also captured this thread to come back to > it and update when we get a chance to discuss and think about it > further. > > Best Regards > Scott M > > On Mon, May 11, 2020 at 5:25 PM Hendrik Haddorp > <hendrik.haddorp(a)gmx.net <mailto:hendrik.haddorp@gmx.net>> wrote: > > Hi Scott, > > we would like to sign images using an HSM and those provide > PKCS#11 > (https://www.ibm.com/security/cryptocards/pciecc/overview, > https://www.yubico.com/product/yubihsm-2, > https://www.nitrokey.com/#comparison) and there does not seem > to be any proper connection from that to the OpenPGP world. > The only thing I found might be > https://github.com/alonbl/gnupg-pkcs11-scd and that looks > also a bit limited and dated. I'm currently especially > interested in a way to use that IBM crypto card. A relatively > easy solution might be to just store the signature hash in > the signature file. To verify that it seem to be enough to > something like "openssl dgst -sha256 -verify public.pem > -signature manifest.sig manifest.json". My understanding so > far is that this is actually a PKCS#1 hash calculation. > Anyhow if I could get podman doing that openssl call instead > of openpgp things would be working for me. > > regards, > Hendrik > > On 11.05.2020 18:38, Scott McCarty wrote: >> Hendrik, >>    That's all that's supported today. Do you have any other >> tools you would be looking for? >> >> Best Regards >> Scott M >> >> On Wed, May 6, 2020 at 3:15 AM Hendrik Haddorp >> <hendrik.haddorp(a)gmx.net <mailto:hendrik.haddorp@gmx.net>> >> wrote: >> >> Hi, >> >> is OpenPGP the only supported image signing open >> supported by podman / >> skopeo or are there other options? Using OpenGPG works >> quite fine for me >> so far but in the end we are trying to sign an image >> using an IBM 4765 >> crypto card and so far have not figured out how this can >> play together. >> >> thanks, >> Hendrk >> _______________________________________________ >> Podman mailing list -- podman(a)lists.podman.io >> <mailto:podman@lists.podman.io> >> To unsubscribe send an email to >> podman-leave(a)lists.podman.io >> <mailto:podman-leave@lists.podman.io> >> >> >> >> -- >> -- >> Moving Wordpress, Mediawiki and Request Tracker into containers:http://crunchtools.com/a-hackers-guide-to-moving-linux-service... >> -- >> Scott McCarty Product Management - Containers, Red Hat >> Enterprise Linux & OpenShift Email: smccarty(a)redhat.com >> <mailto:smccarty@redhat.com> Phone: 312-660-3535 Cell: >> 330-807-1043 Web: http://crunchtools.com >> Using Azure Pipelines with Red Hat Universal Base Image and Quay.io:https://red.ht/2TvYo3Y > > > > -- > > -- > > Moving Wordpress, Mediawiki and Request Tracker into containers:http://crunchtools.com/a-hackers-guide-to-moving-linux-service... > > -- > > Scott McCarty Product Management - Containers, Red Hat Enterprise > Linux & OpenShift Email: smccarty(a)redhat.com > <mailto:smccarty@redhat.com> Phone: 312-660-3535 Cell: > 330-807-1043 Web: http://crunchtools.com > > Using Azure Pipelines with Red Hat Universal Base Image and Quay.io:https://red.ht/2TvYo3Y > > > > -- > -- > Moving Wordpress, Mediawiki and Request Tracker into containers:http://crunchtools.com/a-hackers-guide-to-moving-linux-service... > -- > Scott McCarty Product Management - Containers, Red Hat Enterprise > Linux & OpenShift Email: smccarty(a)redhat.com > <mailto:smccarty@redhat.com> Phone: 312-660-3535 Cell: 330-807-1043 > Web: http://crunchtools.com > Using Azure Pipelines with Red Hat Universal Base Image and Quay.io:https://red.ht/2TvYo3Y

Hendrik, Thank you for capturing this. We really appreciate it. I've added it to our backlog to discuss at our next planning meeting. I also tagged Mitr (security ninja) in to take a look. Best Regards Scott M On Mon, May 18, 2020 at 6:23 AM Hendrik Haddorp <hendrik.haddorp(a)gmx.net&gt; wrote: > I opened an issue for this now: > https://github.com/containers/libpod/issues/6259 > > On 5/13/20 5:08 PM, Hendrik Haddorp wrote: > > Hi Scott, I will open an issue in the next days just trying to collect > some more info first. > > On 5/13/20 2:51 AM, Scott McCarty wrote: > > Hendrik, > You might also think about filing a GitHub issue to capture it > publicly! > > Best Regards > Scott M > > On Tue, May 12, 2020 at 8:50 PM Scott McCarty <smccarty(a)redhat.com&gt; > wrote: > >> Hendrik, >> Thank you for helping me get my brain around this potential >> feature. We very much appreciate these kinds of ideas. Currently, we are >> working heavily on the Podman API V2, but I have captured this as a >> backlogged feature that we will discuss in upcoming planning sessions. I've >> also captured this thread to come back to it and update when we get a >> chance to discuss and think about it further. >> >> Best Regards >> Scott M >> >> On Mon, May 11, 2020 at 5:25 PM Hendrik Haddorp <hendrik.haddorp(a)gmx.net&gt; >> wrote: >> >>> Hi Scott, >>> >>> we would like to sign images using an HSM and those provide PKCS#11 ( >>> https://www.ibm.com/security/cryptocards/pciecc/overview, >>> https://www.yubico.com/product/yubihsm-2, >>> https://www.nitrokey.com/#comparison) and there does not seem to be >>> any proper connection from that to the OpenPGP world. The only thing I >>> found might be https://github.com/alonbl/gnupg-pkcs11-scd and that >>> looks also a bit limited and dated. I'm currently especially interested in >>> a way to use that IBM crypto card. A relatively easy solution might be to >>> just store the signature hash in the signature file. To verify that it seem >>> to be enough to something like "openssl dgst -sha256 -verify public.pem >>> -signature manifest.sig manifest.json". My understanding so far is that >>> this is actually a PKCS#1 hash calculation. Anyhow if I could get podman >>> doing that openssl call instead of openpgp things would be working for me. >>> >>> regards, >>> Hendrik >>> >>> On 11.05.2020 18:38, Scott McCarty wrote: >>> >>> Hendrik, >>> That's all that's supported today. Do you have any other tools you >>> would be looking for? >>> >>> Best Regards >>> Scott M >>> >>> On Wed, May 6, 2020 at 3:15 AM Hendrik Haddorp <hendrik.haddorp(a)gmx.net&gt; >>> wrote: >>> >>>> Hi, >>>> >>>> is OpenPGP the only supported image signing open supported by podman / >>>> skopeo or are there other options? Using OpenGPG works quite fine for >>>> me >>>> so far but in the end we are trying to sign an image using an IBM 4765 >>>> crypto card and so far have not figured out how this can play together. >>>> >>>> thanks, >>>> Hendrk >>>> _______________________________________________ >>>> Podman mailing list -- podman(a)lists.podman.io >>>> To unsubscribe send an email to podman-leave(a)lists.podman.io >>>> >>> >>> >>> -- >>> >>> -- >>> >>> Moving Wordpress, Mediawiki and Request Tracker into containers: http://crunchtools.com/a-hackers-guide-to-moving-linux-services-into-cont... >>> >>> -- >>> >>> Scott McCarty >>> Product Management - Containers, Red Hat Enterprise Linux & OpenShift >>> Email: smccarty(a)redhat.com >>> Phone: 312-660-3535 >>> Cell: 330-807-1043 >>> Web: http://crunchtools.com >>> >>> Using Azure Pipelines with Red Hat Universal Base Image and Quay.io: https://red.ht/2TvYo3Y >>> >>> >>> >> >> -- >> >> -- >> >> Moving Wordpress, Mediawiki and Request Tracker into containers: http://crunchtools.com/a-hackers-guide-to-moving-linux-services-into-cont... >> >> -- >> >> Scott McCarty >> Product Management - Containers, Red Hat Enterprise Linux & OpenShift >> Email: smccarty(a)redhat.com >> Phone: 312-660-3535 >> Cell: 330-807-1043 >> Web: http://crunchtools.com >> >> Using Azure Pipelines with Red Hat Universal Base Image and Quay.io: https://red.ht/2TvYo3Y >> >> > > -- > > -- > > Moving Wordpress, Mediawiki and Request Tracker into containers: http://crunchtools.com/a-hackers-guide-to-moving-linux-services-into-cont... > > -- > > Scott McCarty > Product Management - Containers, Red Hat Enterprise Linux & OpenShift > Email: smccarty(a)redhat.com > Phone: 312-660-3535 > Cell: 330-807-1043 > Web: http://crunchtools.com > > Using Azure Pipelines with Red Hat Universal Base Image and Quay.io: https://red.ht/2TvYo3Y > > > > -- -- Moving Wordpress, Mediawiki and Request Tracker into containers: http://crunchtools.com/a-hackers-guide-to-moving-linux-services-into-cont... -- Scott McCarty Product Management - Containers, Red Hat Enterprise Linux & OpenShift Email: smccarty(a)redhat.com Phone: 312-660-3535 Cell: 330-807-1043 Web: http://crunchtools.com Using Azure Pipelines with Red Hat Universal Base Image and Quay.io: https://red.ht/2TvYo3Y

Hi, Cosign looks interesting but does not seem to feature the nice verification integration podman offers with the build in signing support. So it does not seem to protect from unsigned images if I simply invoke podman run, which was the nice part of the existing solution.

Our requirements actually changed a bit. First of all we need a sha512 for the container as sha256 is not considered safe enough. Secondly we need the signing to happen with a specific algorithm. Actually we want to sign the image with multiple algorithms in parallel.

So I maybe the best solution would be to somehow provide a plug point for the verification (the defect also seems to suggest something like that in the last update). The code could be invoked after the image was pulled into the local registry and then a handle to image is passed. The plugin could now either take the existing hash for the image or calculate a new one, verify the signature in what ever way required and then return the verification result. Cosign could be integrating in that way as well and would now be able to prevent podman from starting illegal images. Just not sure how such a plugin integration might work. regards, Hendrik On 3/24/21 9:18 PM, Scott McCarty wrote: > Hendrik/All, >     I'm reviving this thread because we are taking a look at a cool > new project called Cosign [1][2][3]. He briefly mentioned that he has > a roadmap to handle key storing devices like Yubikeys and I thought > about this email thread (yes, my memory is strange like that). With a > little searching I found it and decided to revive it. I'm also > tracking a RHEL feature which could potentially implement this. > > I'd love feedback from the people on this thread. Many of you seem to > have very crisp use cases around keys, know podman, and have strong > opinions (which is good). Product Managers love feedback from the > community :-) Thoughts? > > Also feel free to continue discussion in the GitHub issue [4]. > > [1]: https://www.youtube.com/watch?v=gCi9_4NYyR0 > <https://www.youtube.com/watch?v=gCi9_4NYyR0> > [2]: https://github.com/sigstore/cosign > <https://github.com/sigstore/cosign> > [3]: > https://dlorenc.medium.com/cosign-signed-container-images-c1016862618 > <https://dlorenc.medium.com/cosign-signed-container-images-c1016862618> > [4]: https://github.com/containers/podman/issues/6259 > <https://github.com/containers/podman/issues/6259> > > Best Regards > Scott M > > > On Mon, May 18, 2020 at 2:28 PM Scott McCarty <smccarty(a)redhat.com > <mailto:smccarty@redhat.com>> wrote: > > Hendrik, >  Thank you for capturing this. We really appreciate it. I've > added it to our backlog to discuss at our next planning meeting. > I also tagged Mitr (security ninja) in to take a look. > > Best Regards > Scott M > > On Mon, May 18, 2020 at 6:23 AM Hendrik Haddorp > <hendrik.haddorp(a)gmx.net <mailto:hendrik.haddorp@gmx.net>> wrote: > > I opened an issue for this now: > https://github.com/containers/libpod/issues/6259 > <https://github.com/containers/libpod/issues/6259> > > On 5/13/20 5:08 PM, Hendrik Haddorp wrote: >> Hi Scott, I will open an issue in the next days just trying >> to collect some more info first. >> >> On 5/13/20 2:51 AM, Scott McCarty wrote: >>> Hendrik, >>>      You might also think about filing a GitHub issue to >>> capture it publicly! >>> >>> Best Regards >>> Scott M >>> >>> On Tue, May 12, 2020 at 8:50 PM Scott McCarty >>> <smccarty(a)redhat.com <mailto:smccarty@redhat.com>> wrote: >>> >>> Hendrik, >>>      Thank you for helping me get my brain around this >>> potential feature. We very much appreciate these kinds >>> of ideas. Currently, we are working heavily on the >>> Podman API V2, but I have captured this as a backlogged >>> feature that we will discuss in upcoming planning >>> sessions. I've also captured this thread to come back >>> to it and update when we get a chance to discuss and >>> think about it further. >>> >>> Best Regards >>> Scott M >>> >>> On Mon, May 11, 2020 at 5:25 PM Hendrik Haddorp >>> <hendrik.haddorp(a)gmx.net >>> <mailto:hendrik.haddorp@gmx.net>> wrote: >>> >>> Hi Scott, >>> >>> we would like to sign images using an HSM and those >>> provide PKCS#11 >>> (https://www.ibm.com/security/cryptocards/pciecc/overview >>> <https://www.ibm.com/security/cryptocards/pciecc/overview>;, >>> https://www.yubico.com/product/yubihsm-2 >>> <https://www.yubico.com/product/yubihsm-2>;, >>> https://www.nitrokey.com/#comparison >>> <https://www.nitrokey.com/#comparison>) and there >>> does not seem to be any proper connection from that >>> to the OpenPGP world. The only thing I found might >>> be https://github.com/alonbl/gnupg-pkcs11-scd >>> <https://github.com/alonbl/gnupg-pkcs11-scd> and >>> that looks also a bit limited and dated. I'm >>> currently especially interested in a way to use >>> that IBM crypto card. A relatively easy solution >>> might be to just store the signature hash in the >>> signature file. To verify that it seem to be enough >>> to something like "openssl dgst -sha256 -verify >>> public.pem -signature manifest.sig manifest.json". >>> My understanding so far is that this is actually a >>> PKCS#1 hash calculation. Anyhow if I could get >>> podman doing that openssl call instead of openpgp >>> things would be working for me. >>> >>> regards, >>> Hendrik >>> >>> On 11.05.2020 18:38, Scott McCarty wrote: >>>> Hendrik, >>>>  That's all that's supported today. Do you have >>>> any other tools you would be looking for? >>>> >>>> Best Regards >>>> Scott M >>>> >>>> On Wed, May 6, 2020 at 3:15 AM Hendrik Haddorp >>>> <hendrik.haddorp(a)gmx.net >>>> <mailto:hendrik.haddorp@gmx.net>> wrote: >>>> >>>> Hi, >>>> >>>> is OpenPGP the only supported image signing >>>> open supported by podman / >>>> skopeo or are there other options? Using >>>> OpenGPG works quite fine for me >>>> so far but in the end we are trying to sign an >>>> image using an IBM 4765 >>>> crypto card and so far have not figured out >>>> how this can play together. >>>> >>>> thanks, >>>> Hendrk >>>> _______________________________________________ >>>> Podman mailing list -- podman(a)lists.podman.io >>>> <mailto:podman@lists.podman.io> >>>> To unsubscribe send an email to >>>> podman-leave(a)lists.podman.io >>>> <mailto:podman-leave@lists.podman.io> >>>> >>>> >>>> >>>> -- >>>> -- >>>> Moving Wordpress, Mediawiki and Request Tracker into containers:http://crunchtools.com/a-hackers-guide-to-moving-linux-service... <http://crunchtools.com/a-hackers-guide-to-moving-linux-services-into-cont... >>>> -- >>>> Scott McCarty Product Management - Containers, Red >>>> Hat Enterprise Linux & OpenShift Email: >>>> smccarty(a)redhat.com <mailto:smccarty@redhat.com> >>>> Phone: 312-660-3535 Cell: 330-807-1043 Web: >>>> http://crunchtools.com <http://crunchtools.com> >>>> Using Azure Pipelines with Red Hat Universal Base Image and Quay.io:https://red.ht/2TvYo3Y <https://red.ht/2TvYo3Y> >>> >>> >>> >>> -- >>> >>> -- >>> >>> Moving Wordpress, Mediawiki and Request Tracker into containers:http://crunchtools.com/a-hackers-guide-to-moving-linux-service... <http://crunchtools.com/a-hackers-guide-to-moving-linux-services-into-cont... >>> >>> -- >>> >>> Scott McCarty Product Management - Containers, Red Hat >>> Enterprise Linux & OpenShift Email: smccarty(a)redhat.com >>> <mailto:smccarty@redhat.com> Phone: 312-660-3535 Cell: >>> 330-807-1043 Web: http://crunchtools.com >>> <http://crunchtools.com> >>> >>> Using Azure Pipelines with Red Hat Universal Base Image and Quay.io:https://red.ht/2TvYo3Y <https://red.ht/2TvYo3Y> >>> >>> >>> >>> -- >>> -- >>> Moving Wordpress, Mediawiki and Request Tracker into containers:http://crunchtools.com/a-hackers-guide-to-moving-linux-service... <http://crunchtools.com/a-hackers-guide-to-moving-linux-services-into-cont... >>> -- >>> Scott McCarty Product Management - Containers, Red Hat >>> Enterprise Linux & OpenShift Email: smccarty(a)redhat.com >>> <mailto:smccarty@redhat.com> Phone: 312-660-3535 Cell: >>> 330-807-1043 Web: http://crunchtools.com >>> <http://crunchtools.com> >>> Using Azure Pipelines with Red Hat Universal Base Image and Quay.io:https://red.ht/2TvYo3Y <https://red.ht/2TvYo3Y> >> > > > > -- > > -- > > Moving Wordpress, Mediawiki and Request Tracker into containers:http://crunchtools.com/a-hackers-guide-to-moving-linux-service... <http://crunchtools.com/a-hackers-guide-to-moving-linux-services-into-cont... > > -- > > Scott McCarty Product Management - Containers, Red Hat Enterprise > Linux & OpenShift Email: smccarty(a)redhat.com > <mailto:smccarty@redhat.com> Phone: 312-660-3535 Cell: > 330-807-1043 Web: http://crunchtools.com <http://crunchtools.com> > > Using Azure Pipelines with Red Hat Universal Base Image and Quay.io:https://red.ht/2TvYo3Y <https://red.ht/2TvYo3Y> > > > > -- > -- > 18 ways to differentiate open source products from upstream suppliers:https://opensource.com/article/21/2/differentiating-products-up... <https://opensource.com/article/21/2/differentiating-products-upstream-sup... > -- > Scott McCarty Product Management - Containers, Red Hat Enterprise > Linux & OpenShift Email: smccarty(a)redhat.com > <mailto:smccarty@redhat.com> Phone: 312-660-3535 Cell: 330-807-1043 > Web: http://crunchtools.com <http://crunchtools.com> > > _______________________________________________ > Podman mailing list --podman(a)lists.podman.io > To unsubscribe send an email topodman-leave(a)lists.podman.io _______________________________________________ Podman mailing list -- podman(a)lists.podman.io To unsubscribe send an email to podman-leave(a)lists.podman.io

On Thu, Mar 25, 2021 at 9:33 PM Daniel Walsh <dwalsh(a)redhat.com&gt; wrote: > > On 3/25/21 12:22, Hendrik Haddorp wrote: > > Hi, > > Cosign looks interesting but does not seem to feature the nice verification integration podman offers with the build in signing support. So it does not seem to protect from unsigned images if I simply invoke podman run, which was the nice part of the existing solution. > > cosign is a demonstration, the current thought is we will integrate cosign directly into podman so that podman sign, run, build will all be able to work with sigstore. > > Our requirements actually changed a bit. First of all we need a sha512 for the container as sha256 is not considered safe enough. Secondly we need the signing to happen with a specific algorithm. Actually we want to sign the image with multiple algorithms in parallel. > > Add Luke Hinds to conversation, since he is one of the people behind sigstore, to get his ideas. > The Yubikey code is currently a prototype in a pull request, the priority on this being developed further is influenced by user interest / engagement, so now is a good opportunity to discuss needs and help shape the implementation. Generally we try to adhere to 'crypto-agility', but some code that is more experimental may have hardcoded types - we mostly use ecdsa with cosign being curve P-256. Consider sigstore to be an umbrella for a group of projects. The main components are the infrastructure which is largely the WebPKI and transparency log. We then have a series of signing clients with cosign being one (we also have others in the works to sign rubygems, maven jar signing). As Dan Walsh comments, cosign is considered to be a reference implementation. Multi key signing is discussed here, feel free to chime in: https://github.com/sigstore/cosign/issues/98 Note: I am not on this list, I will try to sign up, but best to keep me in To: as I may not see replies otherwise. > So I maybe the best solution would be to somehow provide a plug point for the verification (the defect also seems to suggest something like that in the last update). The code could be invoked after the image was pulled into the local registry and then a handle to image is passed. The plugin could now either take the existing hash for the image or calculate a new one, verify the signature in what ever way required and then return the verification result. Cosign could be integrating in that way as well and would now be able to prevent podman from starting illegal images. Just not sure how such a plugin integration might work. > > regards, > Hendrik > > On 3/24/21 9:18 PM, Scott McCarty wrote: > > Hendrik/All, > I'm reviving this thread because we are taking a look at a cool new project called Cosign [1][2][3]. He briefly mentioned that he has a roadmap to handle key storing devices like Yubikeys and I thought about this email thread (yes, my memory is strange like that). With a little searching I found it and decided to revive it. I'm also tracking a RHEL feature which could potentially implement this. > > I'd love feedback from the people on this thread. Many of you seem to have very crisp use cases around keys, know podman, and have strong opinions (which is good). Product Managers love feedback from the community :-) Thoughts? > > Also feel free to continue discussion in the GitHub issue [4]. > > [1]: https://www.youtube.com/watch?v=gCi9_4NYyR0 > [2]: https://github.com/sigstore/cosign > [3]: https://dlorenc.medium.com/cosign-signed-container-images-c1016862618 > [4]: https://github.com/containers/podman/issues/6259 > > Best Regards > Scott M > > > On Mon, May 18, 2020 at 2:28 PM Scott McCarty <smccarty(a)redhat.com&gt; wrote: >> >> Hendrik, >> Thank you for capturing this. We really appreciate it. I've added it to our backlog to discuss at our next planning meeting. I also tagged Mitr (security ninja) in to take a look. >> >> Best Regards >> Scott M >> >> On Mon, May 18, 2020 at 6:23 AM Hendrik Haddorp < hendrik.haddorp(a)gmx.net&gt; wrote: >>> >>> I opened an issue for this now: https://github.com/containers/libpod/issues/6259 >>> >>> On 5/13/20 5:08 PM, Hendrik Haddorp wrote: >>> >>> Hi Scott, I will open an issue in the next days just trying to collect some more info first. >>> >>> On 5/13/20 2:51 AM, Scott McCarty wrote: >>> >>> Hendrik, >>> You might also think about filing a GitHub issue to capture it publicly! >>> >>> Best Regards >>> Scott M >>> >>> On Tue, May 12, 2020 at 8:50 PM Scott McCarty <smccarty(a)redhat.com&gt; wrote: >>>> >>>> Hendrik, >>>> Thank you for helping me get my brain around this potential feature. We very much appreciate these kinds of ideas. Currently, we are working heavily on the Podman API V2, but I have captured this as a backlogged feature that we will discuss in upcoming planning sessions. I've also captured this thread to come back to it and update when we get a chance to discuss and think about it further. >>>> >>>> Best Regards >>>> Scott M >>>> >>>> On Mon, May 11, 2020 at 5:25 PM Hendrik Haddorp < hendrik.haddorp(a)gmx.net&gt; wrote: >>>>> >>>>> Hi Scott, >>>>> >>>>> we would like to sign images using an HSM and those provide PKCS#11 ( https://www.ibm.com/security/cryptocards/pciecc/overview, https://www.yubico.com/product/yubihsm-2, https://www.nitrokey.com/#comparison) and there does not seem to be any proper connection from that to the OpenPGP world. The only thing I found might be https://github.com/alonbl/gnupg-pkcs11-scd and that looks also a bit limited and dated. I'm currently especially interested in a way to use that IBM crypto card. A relatively easy solution might be to just store the signature hash in the signature file. To verify that it seem to be enough to something like "openssl dgst -sha256 -verify public.pem -signature manifest.sig manifest.json". My understanding so far is that this is actually a PKCS#1 hash calculation. Anyhow if I could get podman doing that openssl call instead of openpgp things would be working for me. >>>>> >>>>> regards, >>>>> Hendrik >>>>> >>>>> On 11.05.2020 18:38, Scott McCarty wrote: >>>>> >>>>> Hendrik, >>>>> That's all that's supported today. Do you have any other tools you would be looking for? >>>>> >>>>> Best Regards >>>>> Scott M >>>>> >>>>> On Wed, May 6, 2020 at 3:15 AM Hendrik Haddorp < hendrik.haddorp(a)gmx.net&gt; wrote: >>>>>> >>>>>> Hi, >>>>>> >>>>>> is OpenPGP the only supported image signing open supported by podman / >>>>>> skopeo or are there other options? Using OpenGPG works quite fine for me >>>>>> so far but in the end we are trying to sign an image using an IBM 4765 >>>>>> crypto card and so far have not figured out how this can play together. >>>>>> >>>>>> thanks, >>>>>> Hendrk >>>>>> _______________________________________________ >>>>>> Podman mailing list -- podman(a)lists.podman.io >>>>>> To unsubscribe send an email to podman-leave(a)lists.podman.io >>>>> >>>>> >>>>> >>>>> -- >>>>> >>>>> -- >>>>> >>>>> Moving Wordpress, Mediawiki and Request Tracker into containers: http://crunchtools.com/a-hackers-guide-to-moving-linux-services-into-cont... >>>>> >>>>> -- >>>>> >>>>> Scott McCarty >>>>> Product Management - Containers, Red Hat Enterprise Linux & OpenShift >>>>> Email: smccarty(a)redhat.com >>>>> Phone: 312-660-3535 >>>>> Cell: 330-807-1043 >>>>> Web: http://crunchtools.com >>>>> >>>>> Using Azure Pipelines with Red Hat Universal Base Image and Quay.io: https://red.ht/2TvYo3Y >>>>> >>>>> >>>> >>>> >>>> -- >>>> >>>> -- >>>> >>>> Moving Wordpress, Mediawiki and Request Tracker into containers: http://crunchtools.com/a-hackers-guide-to-moving-linux-services-into-cont... >>>> >>>> -- >>>> >>>> Scott McCarty >>>> Product Management - Containers, Red Hat Enterprise Linux & OpenShift >>>> Email: smccarty(a)redhat.com >>>> Phone: 312-660-3535 >>>> Cell: 330-807-1043 >>>> Web: http://crunchtools.com >>>> >>>> Using Azure Pipelines with Red Hat Universal Base Image and Quay.io: https://red.ht/2TvYo3Y >>> >>> >>> >>> -- >>> >>> -- >>> >>> Moving Wordpress, Mediawiki and Request Tracker into containers: http://crunchtools.com/a-hackers-guide-to-moving-linux-services-into-cont... >>> >>> -- >>> >>> Scott McCarty >>> Product Management - Containers, Red Hat Enterprise Linux & OpenShift >>> Email: smccarty(a)redhat.com >>> Phone: 312-660-3535 >>> Cell: 330-807-1043 >>> Web: http://crunchtools.com >>> >>> Using Azure Pipelines with Red Hat Universal Base Image and Quay.io: https://red.ht/2TvYo3Y >>> >>> >>> >> >> >> -- >> >> -- >> >> Moving Wordpress, Mediawiki and Request Tracker into containers: http://crunchtools.com/a-hackers-guide-to-moving-linux-services-into-cont... >> >> -- >> >> Scott McCarty >> Product Management - Containers, Red Hat Enterprise Linux & OpenShift >> Email: smccarty(a)redhat.com >> Phone: 312-660-3535 >> Cell: 330-807-1043 >> Web: http://crunchtools.com >> >> Using Azure Pipelines with Red Hat Universal Base Image and Quay.io: https://red.ht/2TvYo3Y > > > > -- > > -- > > 18 ways to differentiate open source products from upstream suppliers: https://opensource.com/article/21/2/differentiating-products-upstream-sup... > -- > > Scott McCarty > Product Management - Containers, Red Hat Enterprise Linux & OpenShift > Email: smccarty(a)redhat.com > Phone: 312-660-3535 > Cell: 330-807-1043 > Web: http://crunchtools.com > > > _______________________________________________ > Podman mailing list -- podman(a)lists.podman.io > To unsubscribe send an email to podman-leave(a)lists.podman.io > > > > _______________________________________________ > Podman mailing list -- podman(a)lists.podman.io > To unsubscribe send an email to podman-leave(a)lists.podman.io > > _______________________________________________ Podman mailing list -- podman(a)lists.podman.io To unsubscribe send an email to podman-leave(a)lists.podman.io