# Signy Sync 2021-03-12 * What is the state of signy now? * not implemented from spec: in-toto root key (open signy PR) * Moving signatures around, signed in acr, can pull and verify yay! But when I move to an on-prem registry (off network), or I archive a thick bundle to move across an airgap. Can't move the signature (due to notary v1 limitations). You have to re-sign. Can't export signature metadata to move it. If the registry is compatible and nothing changes, it's possible to get the same signature but not guaranteed. * in-toto attestation that you pulled and verified and resigned. * If someone wanted to do supply chain security what components are needed and what is the workflow? * signy assumes that you used the in-toto toolchain, doesn't make assumptions about layout. * https://in-toto.engineering.nyu.edu/ walk through to get a layout * you don't have to use intoto if you don't knowit. You can just use tuf * tuf by default, intoto for people who know it * What is the roadmap for signy? (e.g. big PR from Trishank for delegation) * finish this pr * make it easier to use as a drop in library * something to look at is storing in-toto metadata as oci artifacts as well (roadmap) * What is our relationship to Notary v2? Are we waiting for it? Relying on anything? * v2 isn't finished, so v1 is what people are using and it's okay to just say that's what we work with * v2 is trying to use oci artifacts and isn't making progress * in-toto layout, etc is all TUF metadata (in the custom field) * Are there others tools besides Notary that work with signing bundles (e.g. ACR, Docker Hub, Harbor) * Just side-car notary, no one else implemented it * enable content trust and you get notary * When we integrate signy with Porter, which commands/calls are affected? * publish 1. Calls cnab-to-oci to push first 2. referenced images and signing if when we push the referenced image (cnab-to-oci), and the digest drifts between the bundle and the registry digest should we bail out? (the cnab-to-oci autoupdate flag) https://github.com/cnabio/cnab-to-oci/blob/main/cmd/cnab-to-oci/push.go#L25 4. signy gets the content digest for the bundle, signs the content digest of bundle.json and pushes the signature to notary) We don't want the signature with a missing artifact which is why it's second * pull * for each bundle you need to know where to find the notary endpoint * we can default known trust servers and look for a signature by default for whatever is globally configured. Users can override. Fail if signature exists but fails verify. Global option to require all bundles to be signed * Does using signed images change anything for the images deployed by Porter? Scott was confused about how to use this with a k8s admission controller that required signed images. * admission controller rejects unsigned images for pods * signatures for referenced images are not relocated along with the image (see limitation of notary v1) * Could be addressed by resigning images when relocated * v2 could fix this because a signature is a manifest that can be moved * was an issue in signy to auto sign referneced images Hey! Just saw t his 2:51 basically, we need some way to verify that an image or bundle is good before it goes into our kubernetes cluster 2:51 our only options right now are 1) PorterOps, or 2) Notary V2, which allows signing of images, not just a signature that says "hey, this tag is this digest"