New container::image_verify gates PodmanClient::pull_image and the dev-only DockerRuntime::pull_image. Signature claims classify three ways: absent/empty (pull unverified, logged), the literal 'cosign://...' placeholder every fleet manifest carries today (same — enforcement stays dormant until the signing ceremony ships real values), or a declared signature, which must verify via 'cosign verify --key /etc/archipelago/cosign.pub --insecure-ignore-tlog=true' (plus --allow-insecure-registry --allow-http-registry for the HTTP mirror; flags checked against cosign's own docs) before anything is fetched. Missing key, missing cosign binary, timeout, or verification failure all hard-fail the pull — a declared signature cannot be skipped on either runtime. Key path overridable via ARCHIPELAGO_COSIGN_PUBKEY for tests/staging. Deletes security::ImageVerifier: zero callers, blocking std::process::Command on would-be async paths, and a fantasy 'cosign verify --signature' invocation (that flag belongs to verify-blob). Activation ships with the Workstream B ceremony, in order: pin cosign.pub on nodes + install cosign, then publish real image_signature values in the catalog. Tests: archipelago-container 58/58 (5 new), archipelago container:: 159/159, security check clean. Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
6 lines
149 B
Rust
6 lines
149 B
Rust
pub mod container_policies;
|
|
pub mod secrets_manager;
|
|
|
|
pub use container_policies::ContainerPolicyGenerator;
|
|
pub use secrets_manager::SecretsManager;
|