Skip to content

EF oauth login required for using cosign

Summary

Eclipse Adoptium is looking to trial container signing using sigstore as per https://github.com/adoptium/infrastructure/issues/2734 At the moment we are going to see how it works on our build container images for internal use, then evaluate it going forward.

Steps to reproduce

n/a - we wish to use keystore

What is the current bug behavior?

n/a - new requirement

What is the expected correct behavior?

Eclipse Adoptium can use sigstore's cosign to create signatures before the images are pushed up to a container registry, then verified when we pull them back down.

Relevant logs and/or screenshots

n/a

Priority

  • Urgent
  • High
  • Medium
  • Low

Severity

  • Blocker
  • Major
  • Normal
  • Low

Impact

Part of our never ending drive to use secure development practices wherever we can.

Copyright © Eclipse Foundation, Inc. All Rights Reserved.     Privacy Policy | Terms of Use | Copyright Agent