Bug 1257306 - [RFE][glance] Image Signing and Verification Support
Summary: [RFE][glance] Image Signing and Verification Support
Alias: None
Product: Red Hat OpenStack
Classification: Red Hat
Component: openstack-glance
Version: unspecified
Hardware: Unspecified
OS: Unspecified
Target Milestone: ---
: 8.0 (Liberty)
Assignee: Flavio Percoco
QA Contact: nlevinki
URL: https://blueprints.launchpad.net/glan...
Whiteboard: upstream_milestone_liberty-3 upstream...
Depends On:
Blocks: 1316607 1365571
TreeView+ depends on / blocked
Reported: 2015-08-26 17:56 UTC by Sean Cohen
Modified: 2017-07-25 13:24 UTC (History)
10 users (show)

Fixed In Version:
Doc Type: Enhancement
Doc Text:
This release includes a tech preview of Image Signing and Verification for glance images. This feature helps protect image integrity by ensuring no modifications occur after the image is uploaded by a user. This capability includes both signing of the image, and signature validation of bootable images when used.
Clone Of:
: 1316607 (view as bug list)
Last Closed: 2017-07-25 13:24:02 UTC
Target Upstream Version:

Attachments (Terms of Use)

System ID Priority Status Summary Last Updated
OpenStack gerrit 177948 None None None Never
OpenStack gerrit 183137 None None None Never
Red Hat Knowledge Base (Solution) 2604741 None None None 2016-09-06 14:29:12 UTC

Description Sean Cohen 2015-08-26 17:56:31 UTC
OpenStack currently doesn't support either of the following features:

* Signing and signature validation of bootable images
* Validation of uploaded signed images

This blueprint adds support for both of these features. If an uploaded image is signed, Glance will verify the signature prior to storing it. In each of the uploadable cases, proper entry of the appropriate crypto mode selection and keys will be necessary. Deploying authentication will protect against counterfeit images as well as unauthorized images. Integration with Barbican will provide key management support for signing keys. This feature improves the enterprise-ready posture of OpenStack.

Comment 9 Mike McCune 2016-03-28 22:35:49 UTC
This bug was accidentally moved from POST to MODIFIED via an error in automation, please see mmccune@redhat.com with any questions

Comment 12 Sean Cohen 2017-07-25 13:24:02 UTC
Closing the backport request for OSP7 (Feature is scoped for OSP13)

Note You need to log in before you can comment on or make changes to this bug.