Skip to content

Latest container images aren't signed #245

@jordi-t

Description

@jordi-t

It appears that this image isn't signed:

cosign verify ghcr.io/cloudnative-pg/postgresql@sha256:6d41466de5d43a80544cc5768038b2de964ae5b1d725683c03c5d9f81fdc2e43 --certificate-identity-regexp="^https://github.com/cloudnative-pg/postgres-containers/" --certificate-oidc-issuer="https://token.actions.githubusercontent.com"

Error: no signatures found
error during command execution: no signatures found

The same goes for all other images built 3 days ago. I guess it has something to do with this failed workflow.

This is a bit problematic for environments which are automatically validating image signatures through policies, as these will now block pods of CNPG clusters based on these images.

FYI images built 10 days ago actually do contain a signature.

Metadata

Metadata

Assignees

No one assigned

    Labels

    bugSomething isn't workingsecurity 👮Security issues or related to

    Type

    No type

    Projects

    Status

    Done

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions