Skip to content
  • Sheogorath's avatar
    Add info about image digest to allow end-to-end verification · 9477b123
    Sheogorath authored
    Currently the image is pushed to quay.io but since container images are
    not signed, there is no gurantee that the correct image is provided by
    quay.
    
    This patch provides the image's SHA256 digest as part of the build
    process so it's possible to verify that the correct image is up and
    downlaoded.
    
    This is a first, basic setup to allow better audits of the images. In
    future container images should get signed, but this requires some
    additional work.
    9477b123
Validating GitLab CI configuration… Learn more