Skip to content

Commit 2a23a13

Browse files
committed
doc/plans: Update OCI sealing spec (kernel sigs, flattened layers)
Two big goals: - Support for kernel-native fsverity signatures to be associated with a digest - Generalize the "flattened vs per-layer digest"; any layer can now have either. However, after some iteration I eventually realized that it's really best to create a new OCI artifact type for this that is dedicated to carrying fsverity signatures. The huge advantage of this is one can composefs-sign existing unmodified OCI container images. We continue to retain though the option to have a per-layer annotation in the manifest with the same digest information, because it allows replacing diff_id *always*. It's not the default for tooling to copy OCI referrers around necessarily, and it's very convenient to ensure that the tar stream can be efficiently verified online even if just the manifest is stored. Assisted-by: OpenCode (Claude Opus 4) Signed-off-by: Colin Walters <walters@verbum.org>
1 parent a5e8205 commit 2a23a13

2 files changed

Lines changed: 326 additions & 256 deletions

File tree

0 commit comments

Comments
 (0)