Add cosign signature verification for plugin inventory image to ensure integrity of plugins #106
Commits on Mar 28, 2023
-
Add cosign signature verification for plugin inventory image to ensur…
…e integrity of plugins -Added signature verification of plugin inventory(DB) image to ensure the integrity of plugin downloaded and installed from the repository - Also embedded the default public key in the CLI required to verify the cosign signature - If the signature verification fails, CLI would show the warning message but would not throw error and users can choose to skip this validation by setting the environment variable TANZU_CLI_PLUGIN_DISCOVERY_IMAGE_SIGNATURE_VERIFICATION_SKIP_LIST with the discovery image url. User can also choose to suppress signature verification failure warning by setting TANZU_CLI_SUPPRESS_SKIP_SIGNATURE_VERIFICATION_WARNING to true. Signed-off-by: Prem Kumar Kalle <pkalle@vmware.com>
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.