[P1BIGROCKS-2055] Release Signing
View options
Artifact Signing
Iron bank images are only able to be verified by notary during a pull from Ironbank. When caching the images locally for consumption, or porting them to an airgap, we do not have the ability to validate their signature.
The git repositories that are being built for deployment do not have commit signing.
As an end user of BigBang I would want to be able to cryptographically verify:
- The IronBank image was built by Ironbank pipelines
- The IronBank image was approved by XXX
- The Helm Chart was built by BigBang pipelines
- The Helm Chart was released/approved by XXX
If HelmCharts were deployed/released via OCI spec, the use of https://sigstore.dev/ would allow for signing and verification of each step of the artifact. Flux2 is tracking this feature request: https://github.com/fluxcd/source-controller/issues/124 for deploying charts via OCI spec and could be a great addition to the community.
Link items together to show that they're related or that one is blocking others.