Currently using Pop OS and considering switching to bluefin (actually secure blue). I’m interested in its features, but I’m concerned about potential supply chain attacks. eg: targeting the developers on GitHub, that supply the images to users (Recently we thad the XZ Utils attack, on the linux kernel repo).
Are there any security measures in place to mitigate this risk? Additionally, are there ways to verify the integrity of ublue images before installing them? Or between updates?
I can’t speak for secureblue but we sign our images with cosign so that you can verify that the image you’re using is built from the source code on GitHub (check the verification instructions here):
And we verify the signature during our build process:
Currently however, Fedora is not signing their container images, so that part of the chain isn’t locked down but it’s in progress, as soon as that’s available we’ll use it an post an announcement.