Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.

Bug 1257306

Summary: [RFE][glance] Image Signing and Verification Support
Product: Red Hat OpenStack Reporter: Sean Cohen <scohen>
Component: openstack-glanceAssignee: Flavio Percoco <fpercoco>
Status: CLOSED WONTFIX QA Contact: nlevinki <nlevinki>
Severity: medium Docs Contact:
Priority: medium    
Version: 8.0 (Liberty)CC: eglynn, fpercoco, gfidente, jschluet, mlopes, pneedle, sclewis, scohen, sgotliv, srevivo
Target Milestone: ---Keywords: FutureFeature, TechPreview, Triaged, ZStream
Target Release: 8.0 (Liberty)   
Hardware: Unspecified   
OS: Unspecified   
URL: https://blueprints.launchpad.net/glance/+spec/image-signing-and-verification-support
Whiteboard: upstream_milestone_liberty-3 upstream_definition_new upstream_status_implemented
Fixed In Version: Doc Type: Enhancement
Doc Text:
This release includes a tech preview of Image Signing and Verification for glance images. This feature helps protect image integrity by ensuring no modifications occur after the image is uploaded by a user. This capability includes both signing of the image, and signature validation of bootable images when used.
 Story Points: ---
Clone Of:
: 1316607 (view as bug list) Environment:
Last Closed: 2017-07-25 13:24:02 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1316607, 1365571    

Description Sean Cohen 2015-08-26 17:56:31 UTC 
OpenStack currently doesn't support either of the following features:

* Signing and signature validation of bootable images
* Validation of uploaded signed images

This blueprint adds support for both of these features. If an uploaded image is signed, Glance will verify the signature prior to storing it. In each of the uploadable cases, proper entry of the appropriate crypto mode selection and keys will be necessary. Deploying authentication will protect against counterfeit images as well as unauthorized images. Integration with Barbican will provide key management support for signing keys. This feature improves the enterprise-ready posture of OpenStack.
Comment 3 Sean Cohen 2015-08-26 17:59:14 UTC 
https://review.openstack.org/gitweb?p=openstack/glance-specs.git;a=commit;h=6208626ef46ee62b025e52bb97eb2ce541746244
Comment 9 Mike McCune 2016-03-28 22:35:49 UTC 
This bug was accidentally moved from POST to MODIFIED via an error in automation, please see mmccune with any questions
Comment 12 Sean Cohen 2017-07-25 13:24:02 UTC 
Closing the backport request for OSP7 (Feature is scoped for OSP13)
Sean