You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
sindri registry serve ships in Phase 3 (#259) as a read-only embedded OCI registry over a components directory. The original spec called for an optional --sign-with <key> flag so operators could test end-to-end strict-OCI verification against a local dev registry.
In PR #259 the flag was stripped because shipping a flag that parses but no-ops would have been misleading. The use case (local signed-pull testing) is real but niche, and re-signing is non-trivial — it requires v4's first signing operation (everything else is verification).
In scope
New CosignSigner sibling to the existing CosignVerifier (v4/crates/sindri-registry/src/signing.rs). Reads a cosign private key, signs a manifest digest per the cosign manifest spec.
Wire --sign-with <keyfile> back onto sindri registry serve (v4/crates/sindri/src/commands/registry/serve.rs).
When --sign-with is set, every served manifest is signed and the cosign signature manifest is injected into the served index.json per the spec.
Optional --key-password-env <var> for password-protected keys; never read from prompt in a server (would block).
Update v4/docs/SOURCES.md to remove the "Phase 5 follow-up" note on serve and document the flag.
Tests: pull from serve --sign-with <key> via oci-distribution's client, verify the cosign signature against the configured key.
Out of scope
Production signing infrastructure (KMS, HSM integration). --sign-with is for local dev/test of the trust chain.
Re-signing in prefetch — that workflow's contract is verbatim manifest streaming (preserves upstream signatures); see Phase 3 follow-up rationale.
Verification
sindri registry serve --root ./components --sign-with ./test-cosign.key is reachable from a LocalOciSource with supports_strict_oci() returning true against the configured key's trust scope.
An apply --strict-oci against a registry served with --sign-with succeeds end-to-end with no network.
Without --sign-with, served manifests are unsigned (current behaviour); --strict-oci correctly rejects them.
Background
sindri registry serveships in Phase 3 (#259) as a read-only embedded OCI registry over a components directory. The original spec called for an optional--sign-with <key>flag so operators could test end-to-end strict-OCI verification against a local dev registry.In PR #259 the flag was stripped because shipping a flag that parses but no-ops would have been misleading. The use case (local signed-pull testing) is real but niche, and re-signing is non-trivial — it requires v4's first signing operation (everything else is verification).
In scope
CosignSignersibling to the existingCosignVerifier(v4/crates/sindri-registry/src/signing.rs). Reads a cosign private key, signs a manifest digest per the cosign manifest spec.--sign-with <keyfile>back ontosindri registry serve(v4/crates/sindri/src/commands/registry/serve.rs).--sign-withis set, every served manifest is signed and the cosign signature manifest is injected into the servedindex.jsonper the spec.--key-password-env <var>for password-protected keys; never read from prompt in a server (would block).v4/docs/SOURCES.mdto remove the "Phase 5 follow-up" note onserveand document the flag.serve --sign-with <key>viaoci-distribution's client, verify the cosign signature against the configured key.Out of scope
--sign-withis for local dev/test of the trust chain.prefetch— that workflow's contract is verbatim manifest streaming (preserves upstream signatures); see Phase 3 follow-up rationale.Verification
sindri registry serve --root ./components --sign-with ./test-cosign.keyis reachable from aLocalOciSourcewithsupports_strict_oci()returningtrueagainst the configured key's trust scope.apply --strict-ociagainst a registry served with--sign-withsucceeds end-to-end with no network.--sign-with, served manifests are unsigned (current behaviour);--strict-ocicorrectly rejects them.Reference
v4/docs/ADRs/028-component-source-modes.mdv4/docs/DDDs/08-registry-source-domain.mdv4/docs/SOURCES.mdv4/docs/plan/source-modes-implementation.mdv4/docs/ADRs/014-signed-registries-cosign.mdCosignVerifierto mirror —v4/crates/sindri-registry/src/signing.rsservecommand —v4/crates/sindri/src/commands/registry/serve.rs