Re: GitHub Integrations for securing Container Registries with Decentralized Identifiers & Verifiable Credentials

It's good to have talented people around whom I can learn from and move
forward with as an antidote to my frequent stinkn' thinkin'.

-Brent Shambaugh

GitHub: https://github.com/bshambaugh
Website: http://bshambaugh.org/
LinkedIN: https://www.linkedin.com/in/brent-shambaugh-9b91259
Skype: brent.shambaugh
Twitter: https://twitter.com/Brent_Shambaugh
WebID: http://bshambaugh.org/foaf.rdf#me


On Sat, Mar 26, 2022 at 1:05 PM Kim Hamilton <kimdhamilton@gmail.com> wrote:

> Really nice work Orie!
>
> On Sun, Mar 20, 2022 at 2:11 PM Orie Steele <orie@transmute.industries>
> wrote:
>
>> Friends,
>>
>> I wanted to share some updates I made to the github action we created for
>> working with DIDs and VCs in GitHub Workflows.
>>
>>
>> https://github.com/transmute-industries/public-credential-registry-template/blob/main/docs/public-container-registry.md
>>
>> This is a demo / PoC... and it's got a bunch of security issues...
>>
>> If you didn't trust GitHub, you could technically implement this all
>> yourself, with your corporate website, a jenkins build server, and your
>> favorite container registry, but GitHub sure has made everything nice and
>> centralized and easy :)
>>
>> TLDR:
>>
>> - Creating Container Revision VCs with DID Web in a GitHub Action
>> - Uploading the VC-JWT for the signed revision as a label to GitHub
>> Container Registry
>> - Pulling the latest container registry tag and checking the vc for the
>> revision.
>>
>> Because VC-JWT is basically just a boring JWT with some extra semantic
>> sugar, off the shelf libraries can be used, see the "direct link" at the
>> bottom of the readme link above.
>>
>> Regards,
>>
>> OS
>> --
>> *ORIE STEELE*
>> Chief Technical Officer
>> www.transmute.industries
>>
>> <https://www.transmute.industries>
>>
>

Received on Saturday, 26 March 2022 18:12:53 UTC