Support signing and verifying multi-platform images #1229
Description
Is your feature request related to a problem?
As multi-platform images are getting more and more popular, Notation should consider a way to support signing and verifying a multi-platform image.
Multi-platform images are often published as OCI image indexes or Docker manifest list, containing references to platform-specific images. Currently, Notation CLI primarily focuses on signing and verifying a single image, but this approach has limitations:
- If only the image index is signed, a compromised platform-specific image may go undetected while the signature remains valid.
- If only platform-specific images are signed, the integrity of the image index is not assured.
Supporting signing and verification for both the image index and platform-specific images will enhance security and integrity in multi-platform deployments.
Use cases
-
Docker Official Images
Example: docker.io/library/nginx provides multi-platform support for different CPU architectures.
Verifying signatures before pulling images in production environments prevents supply chain attacks. -
Kubernetes Official Images
Example: k8s.gcr.io/kube-apiserver supports multiple architectures such as AMD64, ARM64, and PPC64LE.
Signing ensures that all platform-specific images are verified before deployment in Kubernetes clusters. -
Other CNCF project images
Example:ghcr.io/ratify-project/ratify:v1.4.0andghcr.io/oras-project/oras:v1.3.0-beta.2provide multiple architectures. For ratify image signed by `notation, you can find that only the multi-platform image (index) of the ratify image has been signed but all platform-specific images are not yet. See the query result
Here are a few users asked for this feature:
- Add support for image-indexes #1080
- How to sign an index (manifest list) #18
- Sign each platform-specific image of ratify ratify#2157
What solution do you propose?
- Signing Multi-Platform Images: Provide an option in Notation CLI to recursively sign a multi-platform image (index) along with its platform-specific images.
- Verification of Multi-Platform Images:
- Ensure that verification can check signatures for both the image index and its referenced images.
- Introduce trust policy to enforce required signatures on either the index, platform images, or both.
What alternatives have you considered?
Signing only the image index: Leaves individual platform images unverified.
Signing only platform-specific images: Leaves the index open to manipulation.
Allowing configurable policy to choose signing strategy: Could provide flexibility for different security models.
Any additional context?
Open question: Should this feature allow selective signing of only the index or specific platform images? For example, users may want to sign a patched image and its index if there is a single-arch vulnerable image in a multi-platform image.