add signed image support

4 files changed, 64 insertions, 0 deletions

diff --git a/config/files/usr/etc/containers/policy.json b/config/files/usr/etc/containers/policy.json
new file mode 100644
index 0000000..0041022
--- /dev/null
+++ b/config/files/usr/etc/containers/policy.json
@@ -0,0 +1,44 @@
+{
+  "default": [
+    {
+      "type": "insecureAcceptAnything"
+    }
+  ],
+  "transports": {
+    "docker": {
+      "registry.access.redhat.com": [
+        {
+          "type": "signedBy",
+          "keyType": "GPGKeys",
+          "keyPath": "/etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release"
+        }
+      ],
+      "registry.redhat.io": [
+        {
+          "type": "signedBy",
+          "keyType": "GPGKeys",
+          "keyPath": "/etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release"
+        }
+      ],
+      "ghcr.io/getchoo": [
+        {
+          "type": "sigstoreSigned",
+          "fulcio": {
+            "caPath": "/usr/etc/pki/containers/fulcio_v1.crt.pem",
+            "oidcIssuer": "https://token.actions.githubusercontent.com",
+            "subjectEmail": "https://github.com/getchoo/fedora-oci-images/.github/workflows/build-image.yaml@refs/heads/main"
+          },
+          "rekorPublicKeyPath": "/usr/etc/pki/containers/rekor.pub",
+          "signedIdentity": { "type": "matchRepository" }
+        }
+      ]
+    },
+    "docker-daemon": {
+      "": [
+        {
+          "type": "insecureAcceptAnything"
+        }
+      ]
+    }
+  }
+}
diff --git a/config/files/usr/etc/containers/registries.d/getchoo.yaml b/config/files/usr/etc/containers/registries.d/getchoo.yaml
new file mode 100644
index 0000000..7f39915
--- /dev/null
+++ b/config/files/usr/etc/containers/registries.d/getchoo.yaml
@@ -0,0 +1,3 @@
+docker:
+  ghcr.io/getchoo:
+    use-sigstore-attachments: true
diff --git a/config/files/usr/etc/pki/containers/fulcio_v1.crt.pem b/config/files/usr/etc/pki/containers/fulcio_v1.crt.pem
new file mode 100644
index 0000000..3afc46b
--- /dev/null
+++ b/config/files/usr/etc/pki/containers/fulcio_v1.crt.pem
@@ -0,0 +1,13 @@
+-----BEGIN CERTIFICATE-----
+MIIB9zCCAXygAwIBAgIUALZNAPFdxHPwjeDloDwyYChAO/4wCgYIKoZIzj0EAwMw
+KjEVMBMGA1UEChMMc2lnc3RvcmUuZGV2MREwDwYDVQQDEwhzaWdzdG9yZTAeFw0y
+MTEwMDcxMzU2NTlaFw0zMTEwMDUxMzU2NThaMCoxFTATBgNVBAoTDHNpZ3N0b3Jl
+LmRldjERMA8GA1UEAxMIc2lnc3RvcmUwdjAQBgcqhkjOPQIBBgUrgQQAIgNiAAT7
+XeFT4rb3PQGwS4IajtLk3/OlnpgangaBclYpsYBr5i+4ynB07ceb3LP0OIOZdxex
+X69c5iVuyJRQ+Hz05yi+UF3uBWAlHpiS5sh0+H2GHE7SXrk1EC5m1Tr19L9gg92j
+YzBhMA4GA1UdDwEB/wQEAwIBBjAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBRY
+wB5fkUWlZql6zJChkyLQKsXF+jAfBgNVHSMEGDAWgBRYwB5fkUWlZql6zJChkyLQ
+KsXF+jAKBggqhkjOPQQDAwNpADBmAjEAj1nHeXZp+13NWBNa+EDsDP8G1WWg1tCM
+WP/WHPqpaVo0jhsweNFZgSs0eE7wYI4qAjEA2WB9ot98sIkoF3vZYdd3/VtWB5b9
+TNMea7Ix/stJ5TfcLLeABLE4BNJOsQ4vnBHJ
+-----END CERTIFICATE-----
\ No newline at end of file
diff --git a/config/files/usr/etc/pki/containers/rekor.pub b/config/files/usr/etc/pki/containers/rekor.pub
new file mode 100644
index 0000000..050ef60
--- /dev/null
+++ b/config/files/usr/etc/pki/containers/rekor.pub
@@ -0,0 +1,4 @@
+-----BEGIN PUBLIC KEY-----
+MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE2G2Y+2tabdTV5BcGiBIx0a9fAFwr
+kBbmLSGtks4L3qX6yYY0zufBnhC8Ur/iy55GhWP/9A/bY2LhC30M9+RYtw==
+-----END PUBLIC KEY-----