How to sign an index (manifest list) #18
Comments
|
Hi @reasonerjt, please see the current approach for using linked artifacts to sign all content: opencontainers/artifacts#29 |
|
@reasonerjt, do we need this as an active issue at this point? Just dong some house cleaning. |
|
Closing as the current signing design will support signing any oci artifact stored in a registry. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
More specifically, when signing an index (manifest list), should all referenced artifacts be signed?
By looking at the doc, in this section:
https://github.com/notaryproject/nv2/blob/prototype-1/docs/distribution/persistance-discovery-options.md#signature-persistence---option-2a-oci-index-signing-a-multi-arch-manifest
It's not very clear to me whether the objects 6~9 are required when signing the multi-arch manifest.
I'm afraid it may generate too many indexes if we require all referenced artifacts are signed when signing an index.
On the other hand, if we only require object 2,3, it will be hard to tell if the artifact is signed, when registry receives a request to pull manifest of one particular manifest, e.g. object 4
The text was updated successfully, but these errors were encountered: