Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

docs: add release image signing guidance #129

Open
wants to merge 3 commits into
base: main
Choose a base branch
from
Open

docs: add release image signing guidance #129

wants to merge 3 commits into from

Conversation

akashsinghal
Copy link
Collaborator

Updates security doc to include release image verification guidance

@netlify Netlify
Copy link

netlify bot commented Nov 22, 2024
edited
Loading

Deploy Preview for ratify-dev ready!

Name Link
🔨 Latest commit 94f64ed
🔍 Latest deploy log https://app.netlify.com/sites/ratify-dev/deploys/6744f1e90fa4140008df7601
😎 Deploy Preview https://deploy-preview-129--ratify-dev.netlify.app
📱 Preview on mobile
Toggle QR Code...

QR Code

Use your smartphone camera to open QR code link.

To edit notification comments on pull requests, go to your Netlify site configuration.

junczhu
junczhu reviewed Nov 25, 2024
View reviewed changes
docs/troubleshoot/security.md
@@ -41,11 +44,11 @@ cat <<EOF > ./trustpolicy.json
}
EOF
notation policy import ./trustpolicy.json
notation verify ghcr.io/ratify-project/ratify:v1.4.0
Copy link
Contributor

@junczhu junczhu Nov 25, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Just curious about that, since v1.4.0 is not released shall we go with the latest version v1.3.1 instead?

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I was thinking that updates to the docs here are for the next version on the website, which corresponds to unreleased changes. The current v1.3.1 release is not signed so we don't want to give that as an example. When v1.4.0 is released, the published release images will be signed and match the docs.

junczhu
junczhu reviewed Nov 25, 2024
View reviewed changes
docs/troubleshoot/security.md
@@ -63,18 +66,18 @@ cosign verify \
--certificate-identity "https://github.com/ratify-project/ratify/.github/workflows/publish-dev-assets.yml@refs/heads/dev" \
--certificate-oidc-issuer https://token.actions.githubusercontent.com \
--certificate-github-workflow-repository ratify-project/ratify \
ghcr.io/ratify-project/ratify-dev:latest
ghcr.io/ratify-project/ratify:v1.4.0
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Same here.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Get answered above.
REF: #129 (comment)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@junczhu junczhu junczhu left review comments

@binbin-li binbin-li Awaiting requested review from binbin-li binbin-li is a code owner

@luisdlp luisdlp Awaiting requested review from luisdlp luisdlp is a code owner

@susanshi susanshi Awaiting requested review from susanshi susanshi is a code owner

@toddysm toddysm Awaiting requested review from toddysm toddysm is a code owner

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@akashsinghal @junczhu