Skip to content

Can PyPI packages & Docker/AMI images be digitally signed? #3948

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
theathorn opened this issue Mar 16, 2022 · 1 comment
Closed

Can PyPI packages & Docker/AMI images be digitally signed? #3948

theathorn opened this issue Mar 16, 2022 · 1 comment
Assignees
@hannes-ucsc
Labels
doc [subject] Internal and external documentation orange [process] Done by the Azul team

Comments

@theathorn
Copy link

theathorn commented Mar 16, 2022
edited
Loading

CM-5(3) ACCESS RESTRICTIONS FOR CHANGE | SIGNED COMPONENTS
The information system prevents the installation of [Assignment: organization-defined software and firmware components] without verification that the component has been digitally signed using a certificate that is recognized and approved by the organization.
@theathorn theathorn added the orange [process] Done by the Azul team label Mar 16, 2022
@hannes-ucsc hannes-ucsc changed the title Figure out if Pipi, Docker, and AMI packages are digitally signed Figure out if PyPi packages, and Docker/AMI images are digitally signed Mar 16, 2022
@hannes-ucsc hannes-ucsc changed the title Figure out if PyPi packages, and Docker/AMI images are digitally signed Can PyPi packages, and Docker/AMI images be digitally signed? Mar 16, 2022
@hannes-ucsc hannes-ucsc changed the title Can PyPi packages, and Docker/AMI images be digitally signed? Can PyPi packages & Docker/AMI images be digitally signed? Mar 16, 2022
@hannes-ucsc hannes-ucsc changed the title Can PyPi packages & Docker/AMI images be digitally signed? Can PyPI packages & Docker/AMI images be digitally signed? Mar 16, 2022
@theathorn theathorn added doc [subject] Internal and external documentation task labels Mar 16, 2022
@hannes-ucsc
Copy link
Member

For Docker images, there is https://docs.docker.com/engine/security/trust/ but most of the images we use aren't signed.

For PyPI there is PEP 458 and 480. The latter is a draft while the former is accepted but has not been implemented yet.

@hannes-ucsc hannes-ucsc mentioned this issue Apr 2, 2022
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@hannes-ucsc hannes-ucsc

Labels
doc [subject] Internal and external documentation orange [process] Done by the Azul team
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@hannes-ucsc @theathorn