From 6a0a5b46c633f12ca0e754353b6a6f8818915ed8 Mon Sep 17 00:00:00 2001 From: seth Date: Thu, 25 Jan 2024 09:20:49 -0500 Subject: add signed image support --- config/files/usr/etc/containers/policy.json | 44 ++++++++++++++++++++++ .../usr/etc/containers/registries.d/getchoo.yaml | 3 ++ 2 files changed, 47 insertions(+) create mode 100644 config/files/usr/etc/containers/policy.json create mode 100644 config/files/usr/etc/containers/registries.d/getchoo.yaml (limited to 'config/files/usr/etc/containers') diff --git a/config/files/usr/etc/containers/policy.json b/config/files/usr/etc/containers/policy.json new file mode 100644 index 0000000..0041022 --- /dev/null +++ b/config/files/usr/etc/containers/policy.json @@ -0,0 +1,44 @@ +{ + "default": [ + { + "type": "insecureAcceptAnything" + } + ], + "transports": { + "docker": { + "registry.access.redhat.com": [ + { + "type": "signedBy", + "keyType": "GPGKeys", + "keyPath": "/etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release" + } + ], + "registry.redhat.io": [ + { + "type": "signedBy", + "keyType": "GPGKeys", + "keyPath": "/etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release" + } + ], + "ghcr.io/getchoo": [ + { + "type": "sigstoreSigned", + "fulcio": { + "caPath": "/usr/etc/pki/containers/fulcio_v1.crt.pem", + "oidcIssuer": "https://token.actions.githubusercontent.com", + "subjectEmail": "https://github.com/getchoo/fedora-oci-images/.github/workflows/build-image.yaml@refs/heads/main" + }, + "rekorPublicKeyPath": "/usr/etc/pki/containers/rekor.pub", + "signedIdentity": { "type": "matchRepository" } + } + ] + }, + "docker-daemon": { + "": [ + { + "type": "insecureAcceptAnything" + } + ] + } + } +} diff --git a/config/files/usr/etc/containers/registries.d/getchoo.yaml b/config/files/usr/etc/containers/registries.d/getchoo.yaml new file mode 100644 index 0000000..7f39915 --- /dev/null +++ b/config/files/usr/etc/containers/registries.d/getchoo.yaml @@ -0,0 +1,3 @@ +docker: + ghcr.io/getchoo: + use-sigstore-attachments: true -- cgit v1.2.3