Re: GitHub Integrations for securing Container Registries with Decentralized Identifiers & Verifiable Credentials

Really nice work Orie!

On Sun, Mar 20, 2022 at 2:11 PM Orie Steele <orie@transmute.industries>
wrote:

> Friends,
>
> I wanted to share some updates I made to the github action we created for
> working with DIDs and VCs in GitHub Workflows.
>
>
> https://github.com/transmute-industries/public-credential-registry-template/blob/main/docs/public-container-registry.md
>
> This is a demo / PoC... and it's got a bunch of security issues...
>
> If you didn't trust GitHub, you could technically implement this all
> yourself, with your corporate website, a jenkins build server, and your
> favorite container registry, but GitHub sure has made everything nice and
> centralized and easy :)
>
> TLDR:
>
> - Creating Container Revision VCs with DID Web in a GitHub Action
> - Uploading the VC-JWT for the signed revision as a label to GitHub
> Container Registry
> - Pulling the latest container registry tag and checking the vc for the
> revision.
>
> Because VC-JWT is basically just a boring JWT with some extra semantic
> sugar, off the shelf libraries can be used, see the "direct link" at the
> bottom of the readme link above.
>
> Regards,
>
> OS
> --
> *ORIE STEELE*
> Chief Technical Officer
> www.transmute.industries
>
> <https://www.transmute.industries>
>

Received on Saturday, 26 March 2022 18:02:42 UTC