feat: Add attestation entry point to Docker Images#1476
Conversation
fdefelici
left a comment
fdefelici
left a comment
There was a problem hiding this comment.
Added few remarks.
I need also a clarification, to check if my undestanding is right about this need.
We are offering this attestation verification and related samples, to allow a user to create its own docker image with blockstack-cli and signer binary?
We would like to enforce another small step that automate the process to verify the images source, the idea is to limit the the possibility to run unsigned software. To add to our signer plus the partners |
aldur
left a comment
aldur
left a comment
There was a problem hiding this comment.
Can you also modify the files under https://github.com/stacks-network/sbtc/blob/main/docker/mainnet/docker-compose.yml and the testnet corresponding version?
…tacks-network/sbtc into feat/add_attestation_validation_script
djordon
modified the milestones:
sBTC: Withdrawal fine tuning,
sBTC: Recovery and resiliency
5 participants
Description
This PR adds the support to the attestation verification in offline mode and give a suggestion on how to override the Docker entry point for Docker and Docker Compose.
Closes: #1310
Note:
The key material in trusted_root.jsonl does not have a built-in expiration date, so anything signed before you generate the trusted root file will continue to successfully verify. Anything signed after the file is generated will verify until that Sigstore instance rotates its key material, which typically happens a few times per year. You will not know if key material has been revoked since you last generated the trusted root file.
Open questions:
Changes
Testing Information
This is a build workflow that generates the attestation files: https://github.com/stacks-network/sbtc/actions/runs/13830677511/job/38694062940
Checklist: