add signed image support

2 files changed, 47 insertions, 0 deletions

diff --git a/config/files/usr/etc/containers/policy.json b/config/files/usr/etc/containers/policy.json
new file mode 100644
index 0000000..0041022
--- /dev/null
+++ b/config/files/usr/etc/containers/policy.json
@@ -0,0 +1,44 @@
+{
+  "default": [
+    {
+      "type": "insecureAcceptAnything"
+    }
+  ],
+  "transports": {
+    "docker": {
+      "registry.access.redhat.com": [
+        {
+          "type": "signedBy",
+          "keyType": "GPGKeys",
+          "keyPath": "/etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release"
+        }
+      ],
+      "registry.redhat.io": [
+        {
+          "type": "signedBy",
+          "keyType": "GPGKeys",
+          "keyPath": "/etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release"
+        }
+      ],
+      "ghcr.io/getchoo": [
+        {
+          "type": "sigstoreSigned",
+          "fulcio": {
+            "caPath": "/usr/etc/pki/containers/fulcio_v1.crt.pem",
+            "oidcIssuer": "https://token.actions.githubusercontent.com",
+            "subjectEmail": "https://github.com/getchoo/fedora-oci-images/.github/workflows/build-image.yaml@refs/heads/main"
+          },
+          "rekorPublicKeyPath": "/usr/etc/pki/containers/rekor.pub",
+          "signedIdentity": { "type": "matchRepository" }
+        }
+      ]
+    },
+    "docker-daemon": {
+      "": [
+        {
+          "type": "insecureAcceptAnything"
+        }
+      ]
+    }
+  }
+}
diff --git a/config/files/usr/etc/containers/registries.d/getchoo.yaml b/config/files/usr/etc/containers/registries.d/getchoo.yaml
new file mode 100644
index 0000000..7f39915
--- /dev/null
+++ b/config/files/usr/etc/containers/registries.d/getchoo.yaml
@@ -0,0 +1,3 @@
+docker:
+  ghcr.io/getchoo:
+    use-sigstore-attachments: true