docs(adr): 0020 — supply-chain trust is signature continuity, not prefix-gated single-identity#133
Merged
Conversation
…fix-gated single-identity The current SignaturePolicy (gated_prefixes + one identity_regexp) answers only "are my images signed by me": no visibility into the rest of the cluster, single- identity trust that can't vouch for upstreams, and structurally blind to the actual attack — a previously-signed repo serving an unsigned (or differently-signed) image after a push-access compromise. ADR-0020 reshapes supply-chain trust as signature CONTINUITY, the same observe-baseline-detect-deviation thesis as ADR-0016: observe every image's signing posture (signer identity read from the Fulcio cert, no pre-config), learn a per-repo TOFU baseline, and treat a signed→unsigned / identity-change regression as the breach-relevant signal. Audit-first; the old prefix+single-identity gate becomes one pinned special case. Honestly records TOFU cold-start and false-positive limits. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_01VtjoJttCvBY4dzCoE4f9vP
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Records the decision to reshape the admission signature model, per the design discussion.
Problem with the current
SignaturePolicy(prefix-gated + one trusted identity):n/a, so the operator can't see the cluster's signing posture at all.n/a.Decision: model supply-chain trust as signature continuity — the same observe-baseline-detect-deviation thesis as ADR-0016:
The old prefix + single-identity gate becomes one pinned special case. Audit-first (shadow invariant). Honestly records the TOFU cold-start and false-positive limits.
A sprint plan implementing this (staged: inventory → continuity baseline → enforce) follows.
🤖 Generated with Claude Code