Verify image signature when getting OS images information
Summary
The OS images are now signed, so it would be worth to check the signature before using. Ideally, the verification of the OS image signature should be in the script sylva-core/charts/sylva-units/scripts/create-os-images-info.sh
.
Then, if verification of the signature fails, the unit os-images-info shall fail too.
related references
This issue replaces sylva-projects/sylva-elements/helm-charts/os-image-server#9 (closed)
The issue depends on :
- sylva-projects/sylva-elements/diskimage-builder!218 (merged), which exposes the cosign public key to be used for verification.
- sylva-projects/sylva-elements/container-images/oci-tools!30 (merged), which adds cosign to oci-tools image
Edited by Pierrick Seite