roof/pic
1
0
Fork 0
Code Issues Pull Requests Actions Wiki Activity

feat: secure build phase 2 — enforce image verification by default

Browse Source 
All store images are now digest-pinned and cosign-signed by the publish
pipeline, so the warn-by-default training-wheels period is over: an
unsigned or undigested image must not install unless the admin
explicitly opts out. The service_composer fallback used when the config
manager is unavailable or corrupt also flips to enforce — config
corruption must fail closed rather than silently weaken verification.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
This commit is contained in:
Dmitrii Iurco
2026-06-11 14:12:58 -04:00
parent c430a392b8
commit 2ab3d2d5ac
5 changed files with 66 additions and 13 deletions
Download Patch File Download Diff File Expand all files Collapse all files
api/service_composer.py
+1 -1
View File
@@ -285,7 +285,7 @@ class ServiceComposer:
return getter()
except Exception as e: # config corruption must not crash install
logger.warning('service_composer: could not read verification mode: %s', e)
return 'warn'
return 'enforce'
def _cosign_verify(self, image_ref: str) -> Dict:
"""Run `cosign verify` against the bundled public key for one image ref.