GitHub Integrations for securing Container Registries with Decentralized Identifiers & Verifiable Credentials


I wanted to share some updates I made to the github action we created for
working with DIDs and VCs in GitHub Workflows.

This is a demo / PoC... and it's got a bunch of security issues...

If you didn't trust GitHub, you could technically implement this all
yourself, with your corporate website, a jenkins build server, and your
favorite container registry, but GitHub sure has made everything nice and
centralized and easy :)


- Creating Container Revision VCs with DID Web in a GitHub Action
- Uploading the VC-JWT for the signed revision as a label to GitHub
Container Registry
- Pulling the latest container registry tag and checking the vc for the

Because VC-JWT is basically just a boring JWT with some extra semantic
sugar, off the shelf libraries can be used, see the "direct link" at the
bottom of the readme link above.


Chief Technical Officer


Received on Sunday, 20 March 2022 21:11:07 UTC