8 files changed, 147 insertions, 0 deletions
diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml
index c80ab65..0461008 100644
--- a/.github/workflows/build.yaml
+++ b/.github/workflows/build.yaml
@@ -35,6 +35,7 @@ jobs:
 
   base:
     name: Base Images
+    needs: [config]
 
     permissions:
       contents: read
@@ -60,6 +61,29 @@ jobs:
         FEDORA_VERSION=${{ matrix.fedora_version }}
         IMAGE_FLAVOR=${{ matrix.image_flavor }}
 
+  config:
+    name: Config layer
+
+    permissions:
+      contents: read
+      id-token: write
+      packages: write
+
+    strategy:
+      fail-fast: false
+      matrix:
+        fedora_version: [39]
+
+    uses: ./.github/workflows/build-image.yaml
+    with:
+      image_name: config
+      containerfile: ./config/Containerfile
+      context: ./config
+      extra_tags: |
+        ${{ matrix.fedora_version }}
+      build_args: |
+        FEDORA_VERSION=${{ matrix.fedora_version }}
+
   nvidia:
     name: NVIDIA Images
     needs: [akmods, base]
diff --git a/base/Containerfile b/base/Containerfile
index ae51051..a4ff2f4 100644
--- a/base/Containerfile
+++ b/base/Containerfile
@@ -58,8 +58,13 @@ RUN cd /etc/yum.repos.d/ && \
 RUN readarray -td '' pkgs < <(/tmp/yq '.install[]' /tmp/packages.yaml) && \
 	rpm-ostree install "${pkgs[@]}"
 
+# enable automatic updates
 RUN sed -i 's/#AutomaticUpdatePolicy.*/AutomaticUpdatePolicy=stage/' /etc/rpm-ostreed.conf
 
+# bring in config layer
+COPY --from=ghcr.io/getchoo/config:${FEDORA_VERSION} /rpms /tmp/config
+RUN rpm-ostree install /tmp/config/container-policy/getchoo-container-policy*.rpm
+
 
 RUN rpm-ostree cleanup -m && \
 	rm -rf /tmp/* /var/* && \
diff --git a/config/Containerfile b/config/Containerfile
new file mode 100644
index 0000000..ff10f83
--- /dev/null
+++ b/config/Containerfile
@@ -0,0 +1,27 @@
+ARG BASE_IMAGE="registry.fedoraproject.org/fedora"
+ARG FEDORA_VERSION="${FEDORA_VERSION:-39}"
+
+FROM ${BASE_IMAGE}:${FEDORA_VERSION} as builder
+
+COPY files /tmp/files
+COPY container-policy.spec /tmp/specs/container-policy.spec
+
+RUN dnf install \
+	--disablerepo='*' \
+	--enablerepo='fedora,updates' \
+	--setopt install_weak_deps=0 \
+	--nodocs \
+	--assumeyes \
+	rpm-build
+
+RUN mkdir -p /var/cache/rpms/container-policy /tmp/container-policy/rpmbuild/SOURCES
+RUN tar -czf /tmp/container-policy/rpmbuild/SOURCES/container-policy.tar.gz -C /tmp files
+
+RUN rpmbuild -ba \
+	--define '_topdir /tmp/container-policy/rpmbuild' \
+	--define '%_tmppath %{_topdir}/tmp' \
+	/tmp/specs/container-policy.spec && \
+	cp /tmp/container-policy/rpmbuild/RPMS/noarch/getchoo-container-policy*.rpm /var/cache/rpms/container-policy/
+
+FROM scratch
+COPY --from=builder /var/cache/rpms/container-policy /rpms/container-policy
diff --git a/config/container-policy.spec b/config/container-policy.spec
new file mode 100644
index 0000000..1516dfa
--- /dev/null
+++ b/config/container-policy.spec
@@ -0,0 +1,27 @@
+Name:           getchoo-container-policy
+Version:        0.1
+Release:        %autorelease
+Summary:        getchoo's container signing policy
+License:        MIT
+URL:            https://github.com/getchoo/fedora-oci-images
+BuildArch:      noarch
+
+Source0:        container-policy.tar.gz
+
+%description
+getchoo's container policy for verifying images from ghcr.io/getchoo
+
+%prep
+%autosetup -c -T
+
+%install
+tar -xzf %{SOURCE0} -C %{buildroot} --strip-component=1
+
+%files
+%attr(0644,root,root) %{_exec_prefix}/etc/containers/policy.json
+%attr(0644,root,root) %{_exec_prefix}/etc/containers/registries.d/getchoo.yaml
+%attr(0644,root,root) %{_exec_prefix}/etc/pki/containers/fulcio_v1.crt.pem
+%attr(0644,root,root) %{_exec_prefix}/etc/pki/containers/rekor.pub
+
+%changelog
+%autochangelog
diff --git a/config/files/usr/etc/containers/policy.json b/config/files/usr/etc/containers/policy.json
new file mode 100644
index 0000000..0041022
--- /dev/null
+++ b/config/files/usr/etc/containers/policy.json
@@ -0,0 +1,44 @@
+{
+  "default": [
+    {
+      "type": "insecureAcceptAnything"
+    }
+  ],
+  "transports": {
+    "docker": {
+      "registry.access.redhat.com": [
+        {
+          "type": "signedBy",
+          "keyType": "GPGKeys",
+          "keyPath": "/etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release"
+        }
+      ],
+      "registry.redhat.io": [
+        {
+          "type": "signedBy",
+          "keyType": "GPGKeys",
+          "keyPath": "/etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release"
+        }
+      ],
+      "ghcr.io/getchoo": [
+        {
+          "type": "sigstoreSigned",
+          "fulcio": {
+            "caPath": "/usr/etc/pki/containers/fulcio_v1.crt.pem",
+            "oidcIssuer": "https://token.actions.githubusercontent.com",
+            "subjectEmail": "https://github.com/getchoo/fedora-oci-images/.github/workflows/build-image.yaml@refs/heads/main"
+          },
+          "rekorPublicKeyPath": "/usr/etc/pki/containers/rekor.pub",
+          "signedIdentity": { "type": "matchRepository" }
+        }
+      ]
+    },
+    "docker-daemon": {
+      "": [
+        {
+          "type": "insecureAcceptAnything"
+        }
+      ]
+    }
+  }
+}
diff --git a/config/files/usr/etc/containers/registries.d/getchoo.yaml b/config/files/usr/etc/containers/registries.d/getchoo.yaml
new file mode 100644
index 0000000..7f39915
--- /dev/null
+++ b/config/files/usr/etc/containers/registries.d/getchoo.yaml
@@ -0,0 +1,3 @@
+docker:
+  ghcr.io/getchoo:
+    use-sigstore-attachments: true
diff --git a/config/files/usr/etc/pki/containers/fulcio_v1.crt.pem b/config/files/usr/etc/pki/containers/fulcio_v1.crt.pem
new file mode 100644
index 0000000..3afc46b
--- /dev/null
+++ b/config/files/usr/etc/pki/containers/fulcio_v1.crt.pem
@@ -0,0 +1,13 @@
+-----BEGIN CERTIFICATE-----
+MIIB9zCCAXygAwIBAgIUALZNAPFdxHPwjeDloDwyYChAO/4wCgYIKoZIzj0EAwMw
+KjEVMBMGA1UEChMMc2lnc3RvcmUuZGV2MREwDwYDVQQDEwhzaWdzdG9yZTAeFw0y
+MTEwMDcxMzU2NTlaFw0zMTEwMDUxMzU2NThaMCoxFTATBgNVBAoTDHNpZ3N0b3Jl
+LmRldjERMA8GA1UEAxMIc2lnc3RvcmUwdjAQBgcqhkjOPQIBBgUrgQQAIgNiAAT7
+XeFT4rb3PQGwS4IajtLk3/OlnpgangaBclYpsYBr5i+4ynB07ceb3LP0OIOZdxex
+X69c5iVuyJRQ+Hz05yi+UF3uBWAlHpiS5sh0+H2GHE7SXrk1EC5m1Tr19L9gg92j
+YzBhMA4GA1UdDwEB/wQEAwIBBjAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBRY
+wB5fkUWlZql6zJChkyLQKsXF+jAfBgNVHSMEGDAWgBRYwB5fkUWlZql6zJChkyLQ
+KsXF+jAKBggqhkjOPQQDAwNpADBmAjEAj1nHeXZp+13NWBNa+EDsDP8G1WWg1tCM
+WP/WHPqpaVo0jhsweNFZgSs0eE7wYI4qAjEA2WB9ot98sIkoF3vZYdd3/VtWB5b9
+TNMea7Ix/stJ5TfcLLeABLE4BNJOsQ4vnBHJ
+-----END CERTIFICATE-----
+\ No newline at end of file
diff --git a/config/files/usr/etc/pki/containers/rekor.pub b/config/files/usr/etc/pki/containers/rekor.pub
new file mode 100644
index 0000000..050ef60
--- /dev/null
+++ b/config/files/usr/etc/pki/containers/rekor.pub
@@ -0,0 +1,4 @@
+-----BEGIN PUBLIC KEY-----
+MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE2G2Y+2tabdTV5BcGiBIx0a9fAFwr
+kBbmLSGtks4L3qX6yYY0zufBnhC8Ur/iy55GhWP/9A/bY2LhC30M9+RYtw==
+-----END PUBLIC KEY-----