Description of problem: Customer would like to know from the following questions what is supported from the Openshift side and depending on what is supported how can this be done or if it is possible to update our documentation regarding this issues: ### Transcript from case description #### I would like to know whether its possible to use docker/Notary signatures for container images and use openshift verification methods to verify such images? If yes, what is the workflow and commands on: - creating image stream/ISTAG (pointing to external registry) - verification of such ISTAG signature (and what integrations is perhaps required, eg. notary API access)? - is anything else required for enabling content trust (making sure containers have verified signatures) than defining the Image Signature Policy (ISP)? We have OpenShift customers that would like to: a) Use container signing for image trust verification (preferably Notary signatures rather than Atomic signatures) b) Use external registry such as Artifactory for source image location c) Have Image Streams within OpenShift to point to the external registry d) Verify image signatures using OCP features, again with Notary signatures, if possible So something like: - Use the OpenShift Image Signature Policy + the verification command to mark the Image Stream tags as verified (and run with trust). I’ve written some generic details/questions also here https://superuser.com/questions/1303434/image-signatures-content-trust-with-notary-openshift It’s confusing that there are indications such as Notary integration is not a target for RH but still docker signature transports are advertised to work. So looking for information how feasible it would be to perform the signature verification in OpenShift against Notary signatures and what would be the workflow/call sequence in that? Links: Signature format support (docker exists): https://docs.openshift.com/container-platform/3.6/security/deployment.html#security-deployment-signature-transports OCP ISP: https://github.com/containers/image/blob/master/docs/policy.json.md#a-reasonably-locked-down-system Image Stream tag verification command: https://docs.openshift.com/container-platform/3.7/admin_guide/image_signatures.html#verifying-image-signatures-using-openshift-cli Notary integration not a OCP goal: https://trello.com/c/CNxOQ5Vs/1358-notary-integration Document URL: Section Number and Name: Describe the issue: Suggestions for improvement: Additional information:
Possible Duplicate: https://bugzilla.redhat.com/show_bug.cgi?id=1282754
As per this https://bugzilla.redhat.com/show_bug.cgi?id=1282754#c3, notary is not supported. I am going to close this bug as WONTFIX.