Skip to content

cosign: verify image signatures on first install, not just upgrade (#376 follow-up) #452

Description

@VijitSingh97

Follow-up from the #376 (PR #450) security review — LOW, deferred.

Only pithead upgrade calls verify_release_images. A fresh release install's first pithead up / apply (pull policy missing) pulls the 5 first-party images with no signature check, even though cosign.pub ships in the bundle and is sitting right there. The images are digest-pinned only after the first pull.

Fix: call verify_release_images (or an equivalent gate) on the first-install pull path too, guarded the same way (skip on source checkouts, warn-and-proceed when no cosign.pub). One call-site addition; keep it fail-closed when the key is present.

Refs #376, PR #450.

Metadata

Metadata

Assignees

No one assigned

    Labels

    infraDeployment, packaging, releasessecuritySecurity-sensitive issue or hardening

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions