-
-
Notifications
You must be signed in to change notification settings - Fork 163
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat(ci): Verify remaining toolboxes #779
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Wonderful, thank you!
extra-args: | | ||
--disable-content-trust |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is there a reason we have this here still? I don't believe it's required and provides even more security for in-transit communication
Content trust gives you the ability to verify both the integrity and the publisher of all the data received from a registry over any channel.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
If I had to guess, this is because it would require us to trust the container locally before pushing it to the registry. In Red Hat's own workflows, for push-to-registry
, they disable content trust:
However, I do believe this is something that would be worth looking into. At the very least, we may be able to emulate this behavior by signing the container locally with cosign before a push, and then verifying it after
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I would like to remove the flag if nobody remembers why it's there.
It works without it in my older workflow that use these actions. Have made a PR
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Sounds great!
Verifies the Ubuntu toolbox as well as the Fedora distrobox before building them.
All containers used in Bluefin are now verified!