Sign OCI-SIF (cosign/sigstore) #3492
Assignees
Comments
dtrudg
added a commit
to dtrudg/singularity
that referenced
this issue
Feb 4, 2025
Add a new `--cosign` mode to `singularity sign`, which will apply a cosign-compatible signature to a container image in an OCI-SIF, and store the signature image in the OCI-SIF, using the name.ref association defined by sylabs/oci-tools. Unlike the upstream sylabs/oci-tools code, Singularity currently only creates / considers OCI-SIF images that contain a single OCI image. Consequently there is no signature handling for image indices in Singularity at this point. From this commit onwards, Singularity ignores cosign images in the OCI-SIF when looking for an OCI image to execute, push etc. Older versions of Singularity will error when attempting to execute a signed image, as they expect only one image in an OCI-SIF, with no filtering of non-executable cosign related images. Fixes sylabs#3492
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
An OCI-SIF, containing an OCI container image, should be able to be signed using
singularity sign.The signature applied should be a standard cosign/sigstore signature.
The text was updated successfully, but these errors were encountered: