ipm icon indicating copy to clipboard operation
ipm copied to clipboard
verified publisher icon intersystems

Signed and Verifiable Packages

Open kuszewski opened this issue 4 years ago • 2 comments

It is absolutely critical that we have clear and verifiable sightlines into the source code supply chains. Software supply chain is one of the most common attack vectors for hackers. Here's a little overview of the topic: https://blog.tidelift.com/the-state-of-package-signing-across-package-managers

ZPM packages should be signed by their authors and ZPM clients should verify these signatures before unpacking the package.

kuszewski avatar Nov 22 '21 19:11 kuszewski

A note on this per recent internal conversations: The signing process is expected to live outside of IPM itself (as something that is done in a promotion process with an ORAS repo rather than during IPM publish), but IPM should be able to validate signatures following a standard format.

isc-tleavitt avatar Mar 13 '25 13:03 isc-tleavitt

Ideal design/implementation: For an ORAS client, we should be able to configure a Docker content trust server as an additional argument. If specified, content from the client will be verified against the trust server.

See for reference: https://docs.docker.com/engine/security/trust/trust_sandbox/ https://jfrog.com/help/r/jfrog-artifactory-documentation/working-with-docker-content-trust

Minor? Major? complication: docker-py (which oras uses under the hood) doesn't actually support Docker's trust mechanism: https://github.com/docker/docker-py/issues/1773

isc-tleavitt avatar Mar 14 '25 13:03 isc-tleavitt