While the integrity package currently supports cryptographic signing and verification of the contents of a SIF image, it is not expressive enough for a party to make specific statements about the supply chain that created the image.
To support users of SingularityCE who are investing in their software supply chain security, we should look at adding support for embedding signed attestations within a SIF image.
While the integrity package currently supports cryptographic signing and verification of the contents of a SIF image, it is not expressive enough for a party to make specific statements about the supply chain that created the image.
To support users of SingularityCE who are investing in their software supply chain security, we should look at adding support for embedding signed attestations within a SIF image.