Re: Notary/TuF & GPG (& Harbor)


Evan Cordell
 

Just wanted to weigh in from CoreOS. We are using Notary for signing packages as well for the Quay container registry running at Quay.io. 

Signing packages is tricky and TUF seems to get things right. I would also add that there's nothing preventing GPG integration in the future if that's desirable (for key management and signing operations, not instead of TUF metadata). I believe rust-tuf has that as a goal.

Join cncf-toc@lists.cncf.io to automatically receive all group messages.