https://github.com/carv-ics-forth/singularity-pki-containers

Proof of concept that singularity containers can be signed with PKI certificates

https://github.com/carv-ics-forth/singularity-pki-containers

Science Score: 13.0%

This score indicates how likely this project is to be science-related based on various indicators:

  • CITATION.cff file
  • codemeta.json file
    Found codemeta.json file
  • .zenodo.json file
  • DOI references
  • Academic publication links
  • Academic email domains
  • Institutional organization owner
  • JOSS paper metadata
  • Scientific vocabulary similarity
    Low similarity (11.1%) to scientific vocabulary
Last synced: 10 months ago · JSON representation

Repository

Proof of concept that singularity containers can be signed with PKI certificates

Basic Info
  • Host: GitHub
  • Owner: CARV-ICS-FORTH
  • License: mit
  • Language: Shell
  • Default Branch: master
  • Size: 16.6 KB
Statistics
  • Stars: 0
  • Watchers: 7
  • Forks: 0
  • Open Issues: 0
  • Releases: 0
Created over 3 years ago · Last pushed over 3 years ago
Metadata Files
Readme License

README.md

singularity-pki-containers

Proof of concept that singularity containers can be signed with PKI certificates

Acknowledgements

We thankfully acknowledge the support of the European Commission and the Greek General Secretariat for Research and Innovation under the EuroHPC Programme through project DEEP-SEA (GA-955606). National contributions from the involved state members (including the Greek General Secretariat for Research and Innovation) match the EuroHPC funding.

Purpose

This software is a collection of scripts that create a PKI based Certificate Authority. Then using this CA we can create certificates and revoke,validate and verify them. Then we use these certificates to sign singularity container images and verify them after, similar to how singularity containers are signed and verified with PGP certificates.

Prerequisites

  • SSH with SSH keys properly set up for seamless SSH connections between the hosts without the use of passwords.
  • Docker Engine must be installed on all hosts. (https://docs.docker.com/engine/install/)
  • Docker group must be created on all hosts and the user who runs CaDiSa must be a member on docker group in each host.
  • If you want to run on multiple hosts, the location from where you run CaDiSa must be a shared location between all hosts eg NFS and make sure the local root users can have access to this shared folder, because docker runs with superuser privileges.

General structure

Folder "ca_management" contains scripts that create a Certificate Authority and run an OSCP server so that client certificates can be verified. It also contains scripts for certificate verification.

sifsign.sh signs a singularity image using a client's private key. ``` ./sifsign.sh <CLIENTPRIVATEKEY> ``` sifverify.sh extracts the signature from a signed singularity image and checks for the validity of the client certificate using the OSCP server. ./sif_verify.sh <SINGULARITY_IMAGE> <_CLIENT_PUBLIC_CERTIFICATE> In order for the scripts to work correctly, verifycert.sh from folder camanagement has to be on the same directory as sif_verify.sh

slurmsingularityverifyandrun_pki.sh is a example slurm script, with a batch job to verify two singularity images and then run them. One image is not signed, the other is. It is only meant as an exaple for helping users writing their own scripts. The files used in this example are:

  • lolcow.sif: an unsigned singularity image file
  • lolcowsignedpki.sif: the file as above, but after it was signed using vavouris.key
  • sif_sign.sh: the signing script
  • sif_verify.sh: the verification script
  • vavouris.key: private key, created from the CA
  • vavouris.pem: public key, created from the CA
  • verify_cert.sh: verification script

For installation and use of the Certificate Authority scripts, please read the README inside "ca_management" folder.

Owner

  • Name: Computer Architecture and VLSI Systems (CARV) Laboratory
  • Login: CARV-ICS-FORTH
  • Kind: organization
  • Location: Heraklion, Greece

GitHub Events

Total
Last Year

Issues and Pull Requests

Last synced: over 1 year ago

All Time
  • Total issues: 0
  • Total pull requests: 0
  • Average time to close issues: N/A
  • Average time to close pull requests: N/A
  • Total issue authors: 0
  • Total pull request authors: 0
  • Average comments per issue: 0
  • Average comments per pull request: 0
  • Merged pull requests: 0
  • Bot issues: 0
  • Bot pull requests: 0
Past Year
  • Issues: 0
  • Pull requests: 0
  • Average time to close issues: N/A
  • Average time to close pull requests: N/A
  • Issue authors: 0
  • Pull request authors: 0
  • Average comments per issue: 0
  • Average comments per pull request: 0
  • Merged pull requests: 0
  • Bot issues: 0
  • Bot pull requests: 0
Top Authors
Issue Authors
Pull Request Authors
Top Labels
Issue Labels
Pull Request Labels