sigstore-bundle: add sigstore bundle image verification #567
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
p5
changed the title
podmanbot
pushed a commit
to podmanbot/buildah
that referenced
this pull request
Dec 24, 2025
|
✅ A new PR has been created in buildah to vendor these changes: containers/buildah#6613 |
|
Packit jobs failed. @containers/packit-build please check. |
p5
force-pushed
the
dev/robertsturla/sigstore-bundle-verification
branch
from
a285903 to
1f0c308
Compare
podmanbot
pushed a commit
to podmanbot/buildah
that referenced
this pull request
Dec 24, 2025
p5
force-pushed
the
dev/robertsturla/sigstore-bundle-verification
branch
from
1f0c308 to
98629c5
Compare
github-actions
bot
added
storage
p5
force-pushed
the
dev/robertsturla/sigstore-bundle-verification
branch
8 times, most recently
from
374a72c to
2f9c022
Compare
Update the minimum Go version requirement to 1.25.0 in go.work and image/go.mod to support sigstore dependencies that require Go 1.25.0. Signed-off-by: Robert Sturla <rsturla@redhat.com>
Signed-off-by: Robert Sturla <rsturla@redhat.com>
p5
force-pushed
the
dev/robertsturla/sigstore-bundle-verification
branch
from
2f9c022 to
07102dd
Compare
Signed-off-by: Robert Sturla <rsturla@redhat.com>
Signed-off-by: Robert Sturla <rsturla@redhat.com>
p5
force-pushed
the
dev/robertsturla/sigstore-bundle-verification
branch
from
07102dd to
7dd6b21
Compare
…atures Signed-off-by: Robert Sturla <rsturla@redhat.com>
Signed-off-by: Robert Sturla <rsturla@redhat.com>
p5
force-pushed
the
dev/robertsturla/sigstore-bundle-verification
branch
from
7dd6b21 to
b5c927b
Compare
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Fixes #388
This is a very early stage implementation of the new sigstore bundle format verification for use in podman, skopeo and co.
Cosign v3 was released a few months ago with a change to the default format they use for signatures. The new format is not compatible with this library, and therefore verification fails on any image pushed using the default settings in cosign v3.
This does NOT implement pushing new signatures - purely reading and verifying.
I expect to iterate over this PR in draft for a while. Just raised this here for some early feedback. Fulcio is completely new to me and have not yet been able to test this use-case, yet.
Test cases were pretty heavily implemented by Claude Code with close guidance from myself.
Assisted by: Claude Opus 4.5 via Cursor