You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Is your feature request related to a problem? Please describe.
FIPS CM-5(3) requires binaries to be signed. Even without the requirement customers want a way to easily verify the provenance of the packages we create.
Describe the solution you'd like
Ideally we modify our CI/CD pipelines to
verify provenance of external source code if possible
build our images with the verified code
add attestations; built from X, resolves CVE Y
sign our image
generate provenance
sign provenance
gather images and helm package —sign
Describe alternatives you've considered
We should at least publish a list of our images with their sha256 values and let the customer manually verify these.
Gloo Edge Product
Enterprise
Gloo Edge Version
N/A
Is your feature request related to a problem? Please describe.
FIPS CM-5(3) requires binaries to be signed. Even without the requirement customers want a way to easily verify the provenance of the packages we create.
Describe the solution you'd like
Ideally we modify our CI/CD pipelines to
Describe alternatives you've considered
We should at least publish a list of our images with their sha256 values and let the customer manually verify these.
Additional Context
Referring to FIPS CM-5(3): Signed Components https://csf.tools/reference/nist-sp-800-53/r4/cm/cm-5/cm-5-3/
Pre-requisit for: #5580
The text was updated successfully, but these errors were encountered: