containers
/
image
mirror of https://github.com/containers/image.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Make it clear that cleartext signatures are not accepted in simple signing 

The current implementation transparently accepts them in gpgmeSigningMechanism ,
but openpgpSigningMechanism rejects them; so make it clear that they should
be rejected.

Signed-off-by: Miloslav Trmač <mitr@redhat.com>
This commit is contained in:
Miloslav Trmač 2023-02-17 02:25:51 +01:00
parent 15e211694a
commit c670744110
1 changed files with 3 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
docs/containers-signature.5.md
View File

@ -68,7 +68,9 @@ the consumer MUST verify at least the following aspects of the signature
(like the `github.com/containers/image/signature` package does):
- The blob MUST be a “Signed Message” as defined RFC 4880 section 11.3.
(e.g. it MUST NOT be an unsigned “Literal Message”, or any other non-signature format).
(e.g. it MUST NOT be an unsigned “Literal Message”,
a “Cleartext Signature” as defined in RFC 4880 section 7,
or any other non-signature format).
- The signature MUST have been made by an expected key trusted for the purpose (and the specific container image).
- The signature MUST be correctly formed and pass the cryptographic validation.
- The signature MUST correctly authenticate the included JSON payload