Description
We would like to implement container image signing for images stored and distributed through Pulp.
Currently, our container images are pushed to Pulp and consumed by compute nodes. To improve supply chain security and image authenticity, we want to enable signing of container images so that users can verify that the images originate from a trusted source and have not been tampered with.
Request
We need guidance and/or support on the following:
- How to enable container image signing in Pulp.
- Supported signing mechanisms
- Steps required to configure signing keys and integrate them with Pulp.
- How users can verify signatures when pulling images from Pulp.
- Any recommended Pulp plugins or configuration required to support this functionality.
Environment
- Pulp Version: 3.80.1
- Container plugin version: 2.25.1
- Deployment: VM / Bare metal
- Registry type: Pulp container registry
Expected Outcome
Ability to sign container images and verify signatures during image pull, ensuring image integrity and trust.