View on GitHub

adr

Journal of Architectural Decision Records made for the project

Enforce signed artifacts during OCI registry interactions

Context and Problem Statement

When a user uses wash, the waSCC Shell, should they be able to interact with provider archives or actors that are not signed? Any developer can create WASM files or gzipped archives with the file type .par.gz, but without an embedded JWT we have no way to verify the creator, origin, and safety of these files.

Decision Drivers

Considered Options

Decision Outcome

Chosen option: Provider archives and waSCC actors must be signed (embedded JWT) before pushed or pulled using wash because our official waSCC tooling should enforce our security stance. Artifacts produced for consumption by waSCC MUST be signed to ensure a verifiable source and verifiable attestations of capabilities for actors. wash is intended to make signing easier, and the difficulty of signing a provider archive or actor does not outweigh the benefits of verifiable artifacts. In the scenario where a user would like to push other types of artifacts, use of the ORAS project is encouraged.

Positive Consequences

Negative Consequences