Hi,
Starting with 8.8.0, the Elastic images are now signed with Cosign Sigstore as you can see below.
Do you have plans to support signing the "library" images?
Or even better a way for us to push our signed images there similar to the elastic images?
Thanks
cc @tianon
Elasticsearch - Docker Hub Elastic repository
cosign verify \
--key https://artifacts.elastic.co/cosign.pub \
elastic/elasticsearch:8.8.0
Verification for index.docker.io/elastic/elasticsearch:8.8.0 --
The following checks were performed on each of these signatures:
- The cosign claims were validated
- Existence of the claims in the transparency log was verified offline
- The signatures were verified against the specified public key
[{"critical":{"identity":{"docker-reference":"docker.elastic.co/elasticsearch/elasticsearch"},"image":{"docker-manifest-digest":"sha256:9aaa38551b4d9e655c54d9dc6a1dad24ee568c41952dc8cf1d4808513cfb5f65"},"type":"cosign container image signature"},"optional":{"Bundle":{"SignedEntryTimestamp":"MEUCIB6wscj/N6wUOhMq9pFSgaaji3d5HlOLsz2xiI40aW0mAiEA6nvDSPSwwfShSVbILUTbMFqVAfPWvrB5XXz13htMlUQ=","Payload":{"body":"eyJhcGlWZXJzaW9uIjoiMC4wLjEiLCJraW5kIjoiaGFzaGVkcmVrb3JkIiwic3BlYyI6eyJkYXRhIjp7Imhhc2giOnsiYWxnb3JpdGhtIjoic2hhMjU2IiwidmFsdWUiOiIzZmYzZDIzZWVmOTliMDI3YWMzNjE2YWY2ZWQyZTk4MjgyMDRkOTY0MTU0MTQ4MzJiZTU5YThhMzAzZmRjN2YzIn19LCJzaWduYXR1cmUiOnsiY29udGVudCI6Ik1FWUNJUURIenVoV3pibkZsSUxVallMN2MxWm9TaVh3NzVPdmF2SldLVGsvcGRSQUhRSWhBS2hZSS9KTXZtNWJ6M3k2ajdvSzFQc2ZxUUQ0K01lQS9uSFB2a3F4UzIzVyIsInB1YmxpY0tleSI6eyJjb250ZW50IjoiTFMwdExTMUNSVWRKVGlCUVZVSk1TVU1nUzBWWkxTMHRMUzBLVFVacmQwVjNXVWhMYjFwSmVtb3dRMEZSV1VsTGIxcEplbW93UkVGUlkwUlJaMEZGY1ZaMlRtUlJkR1JrZEdWdGRtWmpWV1V5VGpCbloxZ3ZjSFJxYVFwRlZYRjRlakp3UkZVM1ZWYzFiVE53WkcxSU1UTnJUVXR3ZURselJqUjJWVFZLVDJVM1ZYSXJSazVJVERkaFlXaE1hbWRIWXpBNGRXUkJQVDBLTFMwdExTMUZUa1FnVUZWQ1RFbERJRXRGV1MwdExTMHRDZz09In19fX0=","integratedTime":1685024464,"logIndex":21642671,"logID":"c0d23d6ad406973f9559f3ba2d1ca01f84147d8ffc5b8445c224f98b9591801d"}},"tag":"8.8.0"}}]
Elasticsearch - Elastic Container Registry
cosign verify \
--key https://artifacts.elastic.co/cosign.pub \
docker.elastic.co/elasticsearch/elasticsearch:8.8.0
Verification for docker.elastic.co/elasticsearch/elasticsearch:8.8.0 --
The following checks were performed on each of these signatures:
- The cosign claims were validated
- Existence of the claims in the transparency log was verified offline
- The signatures were verified against the specified public key
[{"critical":{"identity":{"docker-reference":"docker.elastic.co/elasticsearch/elasticsearch"},"image":{"docker-manifest-digest":"sha256:9aaa38551b4d9e655c54d9dc6a1dad24ee568c41952dc8cf1d4808513cfb5f65"},"type":"cosign container image signature"},"optional":{"Bundle":{"SignedEntryTimestamp":"MEUCIB6wscj/N6wUOhMq9pFSgaaji3d5HlOLsz2xiI40aW0mAiEA6nvDSPSwwfShSVbILUTbMFqVAfPWvrB5XXz13htMlUQ=","Payload":{"body":"eyJhcGlWZXJzaW9uIjoiMC4wLjEiLCJraW5kIjoiaGFzaGVkcmVrb3JkIiwic3BlYyI6eyJkYXRhIjp7Imhhc2giOnsiYWxnb3JpdGhtIjoic2hhMjU2IiwidmFsdWUiOiIzZmYzZDIzZWVmOTliMDI3YWMzNjE2YWY2ZWQyZTk4MjgyMDRkOTY0MTU0MTQ4MzJiZTU5YThhMzAzZmRjN2YzIn19LCJzaWduYXR1cmUiOnsiY29udGVudCI6Ik1FWUNJUURIenVoV3pibkZsSUxVallMN2MxWm9TaVh3NzVPdmF2SldLVGsvcGRSQUhRSWhBS2hZSS9KTXZtNWJ6M3k2ajdvSzFQc2ZxUUQ0K01lQS9uSFB2a3F4UzIzVyIsInB1YmxpY0tleSI6eyJjb250ZW50IjoiTFMwdExTMUNSVWRKVGlCUVZVSk1TVU1nUzBWWkxTMHRMUzBLVFVacmQwVjNXVWhMYjFwSmVtb3dRMEZSV1VsTGIxcEplbW93UkVGUlkwUlJaMEZGY1ZaMlRtUlJkR1JrZEdWdGRtWmpWV1V5VGpCbloxZ3ZjSFJxYVFwRlZYRjRlakp3UkZVM1ZWYzFiVE53WkcxSU1UTnJUVXR3ZURselJqUjJWVFZLVDJVM1ZYSXJSazVJVERkaFlXaE1hbWRIWXpBNGRXUkJQVDBLTFMwdExTMUZUa1FnVUZWQ1RFbERJRXRGV1MwdExTMHRDZz09In19fX0=","integratedTime":1685024464,"logIndex":21642671,"logID":"c0d23d6ad406973f9559f3ba2d1ca01f84147d8ffc5b8445c224f98b9591801d"}},"tag":"8.8.0"}}]
Elasticsearch - AWS ECR registry
cosign verify \
--key https://artifacts.elastic.co/cosign.pub \
public.ecr.aws/elastic/elasticsearch:8.8.0
Verification for public.ecr.aws/elastic/elasticsearch:8.8.0 --
The following checks were performed on each of these signatures:
- The cosign claims were validated
- Existence of the claims in the transparency log was verified offline
- The signatures were verified against the specified public key
[{"critical":{"identity":{"docker-reference":"docker.elastic.co/elasticsearch/elasticsearch"},"image":{"docker-manifest-digest":"sha256:9aaa38551b4d9e655c54d9dc6a1dad24ee568c41952dc8cf1d4808513cfb5f65"},"type":"cosign container image signature"},"optional":{"Bundle":{"SignedEntryTimestamp":"MEUCIB6wscj/N6wUOhMq9pFSgaaji3d5HlOLsz2xiI40aW0mAiEA6nvDSPSwwfShSVbILUTbMFqVAfPWvrB5XXz13htMlUQ=","Payload":{"body":"eyJhcGlWZXJzaW9uIjoiMC4wLjEiLCJraW5kIjoiaGFzaGVkcmVrb3JkIiwic3BlYyI6eyJkYXRhIjp7Imhhc2giOnsiYWxnb3JpdGhtIjoic2hhMjU2IiwidmFsdWUiOiIzZmYzZDIzZWVmOTliMDI3YWMzNjE2YWY2ZWQyZTk4MjgyMDRkOTY0MTU0MTQ4MzJiZTU5YThhMzAzZmRjN2YzIn19LCJzaWduYXR1cmUiOnsiY29udGVudCI6Ik1FWUNJUURIenVoV3pibkZsSUxVallMN2MxWm9TaVh3NzVPdmF2SldLVGsvcGRSQUhRSWhBS2hZSS9KTXZtNWJ6M3k2ajdvSzFQc2ZxUUQ0K01lQS9uSFB2a3F4UzIzVyIsInB1YmxpY0tleSI6eyJjb250ZW50IjoiTFMwdExTMUNSVWRKVGlCUVZVSk1TVU1nUzBWWkxTMHRMUzBLVFVacmQwVjNXVWhMYjFwSmVtb3dRMEZSV1VsTGIxcEplbW93UkVGUlkwUlJaMEZGY1ZaMlRtUlJkR1JrZEdWdGRtWmpWV1V5VGpCbloxZ3ZjSFJxYVFwRlZYRjRlakp3UkZVM1ZWYzFiVE53WkcxSU1UTnJUVXR3ZURselJqUjJWVFZLVDJVM1ZYSXJSazVJVERkaFlXaE1hbWRIWXpBNGRXUkJQVDBLTFMwdExTMUZUa1FnVUZWQ1RFbERJRXRGV1MwdExTMHRDZz09In19fX0=","integratedTime":1685024464,"logIndex":21642671,"logID":"c0d23d6ad406973f9559f3ba2d1ca01f84147d8ffc5b8445c224f98b9591801d"}},"tag":"8.8.0"}}]
Hi,
Starting with 8.8.0, the Elastic images are now signed with Cosign Sigstore as you can see below.
Do you have plans to support signing the "library" images?
Or even better a way for us to push our signed images there similar to the
elasticimages?Thanks
cc @tianon
Elasticsearch - Docker Hub Elastic repository
Elasticsearch - Elastic Container Registry
Elasticsearch - AWS ECR registry