W3C home > Mailing lists > Public > public-credentials@w3.org > March 2022

GitHub Integrations for securing Container Registries with Decentralized Identifiers & Verifiable Credentials

From: Orie Steele <orie@transmute.industries>
Date: Sun, 20 Mar 2022 16:10:40 -0500
Message-ID: <CAN8C-_LqhJBMDFTnuaOQuuZ0hQLD=Szp6Vi2=xOnfnPReMdFQQ@mail.gmail.com>
To: "W3C Credentials CG (Public List)" <public-credentials@w3.org>
Cc: Sapan Narang <sapan@transmute.industries>
Friends,

I wanted to share some updates I made to the github action we created for
working with DIDs and VCs in GitHub Workflows.

https://github.com/transmute-industries/public-credential-registry-template/blob/main/docs/public-container-registry.md

This is a demo / PoC... and it's got a bunch of security issues...

If you didn't trust GitHub, you could technically implement this all
yourself, with your corporate website, a jenkins build server, and your
favorite container registry, but GitHub sure has made everything nice and
centralized and easy :)

TLDR:

- Creating Container Revision VCs with DID Web in a GitHub Action
- Uploading the VC-JWT for the signed revision as a label to GitHub
Container Registry
- Pulling the latest container registry tag and checking the vc for the
revision.

Because VC-JWT is basically just a boring JWT with some extra semantic
sugar, off the shelf libraries can be used, see the "direct link" at the
bottom of the readme link above.

Regards,

OS
-- 
*ORIE STEELE*
Chief Technical Officer
www.transmute.industries

<https://www.transmute.industries>
Received on Sunday, 20 March 2022 21:11:07 UTC

This archive was generated by hypermail 2.4.0 : Thursday, 24 March 2022 20:25:29 UTC