From a22849cfc5911aced35cbca3968578d220d26973 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Timoth=C3=A9e=20Ravier?= Date: Mon, 18 Dec 2023 18:45:07 +0100 Subject: [PATCH 1/2] workflows: Sign using cosign (all) --- .github/workflows/almalinux.yaml | 28 ++++++++++++++++++++++++++++ .github/workflows/alpine.yaml | 28 ++++++++++++++++++++++++++++ .github/workflows/amazonlinux.yaml | 28 ++++++++++++++++++++++++++++ .github/workflows/archlinux.yaml | 28 ++++++++++++++++++++++++++++ .github/workflows/debian.yaml | 28 ++++++++++++++++++++++++++++ .github/workflows/fedora.yaml | 28 ++++++++++++++++++++++++++++ .github/workflows/opensuse.yaml | 28 ++++++++++++++++++++++++++++ .github/workflows/rhel.yaml | 28 ++++++++++++++++++++++++++++ .github/workflows/rockylinux.yaml | 28 ++++++++++++++++++++++++++++ .github/workflows/ubuntu.yaml | 28 ++++++++++++++++++++++++++++ 10 files changed, 280 insertions(+) diff --git a/.github/workflows/almalinux.yaml b/.github/workflows/almalinux.yaml index 7315a216..a52953e4 100644 --- a/.github/workflows/almalinux.yaml +++ b/.github/workflows/almalinux.yaml @@ -85,6 +85,7 @@ jobs: - name: Push to Container Registry (latest tag) uses: redhat-actions/push-to-registry@v2 + id: push-latest if: (github.event_name == 'push' || github.event_name == 'schedule') && github.ref == 'refs/heads/main' && env.latest_release == matrix.release with: username: ${{ secrets.BOT_USERNAME }} @@ -92,3 +93,30 @@ jobs: image: ${{ env.distro }}-toolbox registry: ${{ env.registry }} tags: ${{ matrix.release }} latest + + - name: Login to Container Registry + uses: redhat-actions/podman-login@v1 + if: (github.event_name == 'push' || github.event_name == 'schedule') && github.ref == 'refs/heads/main' + with: + registry: ${{ env.registry }} + username: ${{ secrets.BOT_USERNAME }} + password: ${{ secrets.BOT_SECRET }} + + - uses: sigstore/cosign-installer@v3.3.0 + if: (github.event_name == 'push' || github.event_name == 'schedule') && github.ref == 'refs/heads/main' + + - name: Sign container image + if: (github.event_name == 'push' || github.event_name == 'schedule') && github.ref == 'refs/heads/main' && env.latest_release != matrix.release + run: | + cosign sign -y --key env://COSIGN_PRIVATE_KEY ${{ env.registry }}/${{ env.distro }}-toolbox@${{ steps.push.outputs.digest }} + env: + COSIGN_EXPERIMENTAL: false + COSIGN_PRIVATE_KEY: ${{ secrets.COSIGN_PRIVATE_KEY }} + + - name: Sign container image (latest) + if: (github.event_name == 'push' || github.event_name == 'schedule') && github.ref == 'refs/heads/main' && env.latest_release == matrix.release + run: | + cosign sign -y --key env://COSIGN_PRIVATE_KEY ${{ env.registry }}/${{ env.distro }}-toolbox@${{ steps.push-latest.outputs.digest }} + env: + COSIGN_EXPERIMENTAL: false + COSIGN_PRIVATE_KEY: ${{ secrets.COSIGN_PRIVATE_KEY }} diff --git a/.github/workflows/alpine.yaml b/.github/workflows/alpine.yaml index cf813305..56be2f13 100644 --- a/.github/workflows/alpine.yaml +++ b/.github/workflows/alpine.yaml @@ -85,6 +85,7 @@ jobs: - name: Push to Container Registry (latest tag) uses: redhat-actions/push-to-registry@v2 + id: push-latest if: (github.event_name == 'push' || github.event_name == 'schedule') && github.ref == 'refs/heads/main' && env.latest_release == matrix.release with: username: ${{ secrets.BOT_USERNAME }} @@ -92,3 +93,30 @@ jobs: image: ${{ env.distro }}-toolbox registry: ${{ env.registry }} tags: ${{ matrix.release }} latest + + - name: Login to Container Registry + uses: redhat-actions/podman-login@v1 + if: (github.event_name == 'push' || github.event_name == 'schedule') && github.ref == 'refs/heads/main' + with: + registry: ${{ env.registry }} + username: ${{ secrets.BOT_USERNAME }} + password: ${{ secrets.BOT_SECRET }} + + - uses: sigstore/cosign-installer@v3.3.0 + if: (github.event_name == 'push' || github.event_name == 'schedule') && github.ref == 'refs/heads/main' + + - name: Sign container image + if: (github.event_name == 'push' || github.event_name == 'schedule') && github.ref == 'refs/heads/main' && env.latest_release != matrix.release + run: | + cosign sign -y --key env://COSIGN_PRIVATE_KEY ${{ env.registry }}/${{ env.distro }}-toolbox@${{ steps.push.outputs.digest }} + env: + COSIGN_EXPERIMENTAL: false + COSIGN_PRIVATE_KEY: ${{ secrets.COSIGN_PRIVATE_KEY }} + + - name: Sign container image (latest) + if: (github.event_name == 'push' || github.event_name == 'schedule') && github.ref == 'refs/heads/main' && env.latest_release == matrix.release + run: | + cosign sign -y --key env://COSIGN_PRIVATE_KEY ${{ env.registry }}/${{ env.distro }}-toolbox@${{ steps.push-latest.outputs.digest }} + env: + COSIGN_EXPERIMENTAL: false + COSIGN_PRIVATE_KEY: ${{ secrets.COSIGN_PRIVATE_KEY }} diff --git a/.github/workflows/amazonlinux.yaml b/.github/workflows/amazonlinux.yaml index 9ac03ea2..6aa6ff05 100644 --- a/.github/workflows/amazonlinux.yaml +++ b/.github/workflows/amazonlinux.yaml @@ -85,6 +85,7 @@ jobs: - name: Push to Container Registry (latest tag) uses: redhat-actions/push-to-registry@v2 + id: push-latest if: (github.event_name == 'push' || github.event_name == 'schedule') && github.ref == 'refs/heads/main' && env.latest_release == matrix.release with: username: ${{ secrets.BOT_USERNAME }} @@ -92,3 +93,30 @@ jobs: image: ${{ env.distro }}-toolbox registry: ${{ env.registry }} tags: ${{ matrix.release }} latest + + - name: Login to Container Registry + uses: redhat-actions/podman-login@v1 + if: (github.event_name == 'push' || github.event_name == 'schedule') && github.ref == 'refs/heads/main' + with: + registry: ${{ env.registry }} + username: ${{ secrets.BOT_USERNAME }} + password: ${{ secrets.BOT_SECRET }} + + - uses: sigstore/cosign-installer@v3.3.0 + if: (github.event_name == 'push' || github.event_name == 'schedule') && github.ref == 'refs/heads/main' + + - name: Sign container image + if: (github.event_name == 'push' || github.event_name == 'schedule') && github.ref == 'refs/heads/main' && env.latest_release != matrix.release + run: | + cosign sign -y --key env://COSIGN_PRIVATE_KEY ${{ env.registry }}/${{ env.distro }}-toolbox@${{ steps.push.outputs.digest }} + env: + COSIGN_EXPERIMENTAL: false + COSIGN_PRIVATE_KEY: ${{ secrets.COSIGN_PRIVATE_KEY }} + + - name: Sign container image (latest) + if: (github.event_name == 'push' || github.event_name == 'schedule') && github.ref == 'refs/heads/main' && env.latest_release == matrix.release + run: | + cosign sign -y --key env://COSIGN_PRIVATE_KEY ${{ env.registry }}/${{ env.distro }}-toolbox@${{ steps.push-latest.outputs.digest }} + env: + COSIGN_EXPERIMENTAL: false + COSIGN_PRIVATE_KEY: ${{ secrets.COSIGN_PRIVATE_KEY }} diff --git a/.github/workflows/archlinux.yaml b/.github/workflows/archlinux.yaml index 06d7e85c..1dc896c1 100644 --- a/.github/workflows/archlinux.yaml +++ b/.github/workflows/archlinux.yaml @@ -88,6 +88,7 @@ jobs: - name: Push to Container Registry (latest tag) uses: redhat-actions/push-to-registry@v2 + id: push-latest if: (github.event_name == 'push' || github.event_name == 'schedule') && github.ref == 'refs/heads/main' && env.latest_release == matrix.release with: username: ${{ secrets.BOT_USERNAME }} @@ -96,3 +97,30 @@ jobs: registry: ${{ env.registry }} # tags: ${{ matrix.release }} latest tags: latest + + - name: Login to Container Registry + uses: redhat-actions/podman-login@v1 + if: (github.event_name == 'push' || github.event_name == 'schedule') && github.ref == 'refs/heads/main' + with: + registry: ${{ env.registry }} + username: ${{ secrets.BOT_USERNAME }} + password: ${{ secrets.BOT_SECRET }} + + - uses: sigstore/cosign-installer@v3.3.0 + if: (github.event_name == 'push' || github.event_name == 'schedule') && github.ref == 'refs/heads/main' + + # - name: Sign container image + # if: (github.event_name == 'push' || github.event_name == 'schedule') && github.ref == 'refs/heads/main' && env.latest_release != matrix.release + # run: | + # cosign sign -y --key env://COSIGN_PRIVATE_KEY ${{ env.registry }}/${{ env.distro }}-toolbox@${{ steps.push.outputs.digest }} + # env: + # COSIGN_EXPERIMENTAL: false + # COSIGN_PRIVATE_KEY: ${{ secrets.COSIGN_PRIVATE_KEY }} + + - name: Sign container image (latest) + if: (github.event_name == 'push' || github.event_name == 'schedule') && github.ref == 'refs/heads/main' && env.latest_release == matrix.release + run: | + cosign sign -y --key env://COSIGN_PRIVATE_KEY ${{ env.registry }}/${{ env.distro }}-toolbox@${{ steps.push-latest.outputs.digest }} + env: + COSIGN_EXPERIMENTAL: false + COSIGN_PRIVATE_KEY: ${{ secrets.COSIGN_PRIVATE_KEY }} diff --git a/.github/workflows/debian.yaml b/.github/workflows/debian.yaml index c9d97b64..c406eab2 100644 --- a/.github/workflows/debian.yaml +++ b/.github/workflows/debian.yaml @@ -85,6 +85,7 @@ jobs: - name: Push to Container Registry (latest tag) uses: redhat-actions/push-to-registry@v2 + id: push-latest if: (github.event_name == 'push' || github.event_name == 'schedule') && github.ref == 'refs/heads/main' && env.latest_release == matrix.release with: username: ${{ secrets.BOT_USERNAME }} @@ -92,3 +93,30 @@ jobs: image: ${{ env.distro }}-toolbox registry: ${{ env.registry }} tags: ${{ matrix.release }} latest + + - name: Login to Container Registry + uses: redhat-actions/podman-login@v1 + if: (github.event_name == 'push' || github.event_name == 'schedule') && github.ref == 'refs/heads/main' + with: + registry: ${{ env.registry }} + username: ${{ secrets.BOT_USERNAME }} + password: ${{ secrets.BOT_SECRET }} + + - uses: sigstore/cosign-installer@v3.3.0 + if: (github.event_name == 'push' || github.event_name == 'schedule') && github.ref == 'refs/heads/main' + + - name: Sign container image + if: (github.event_name == 'push' || github.event_name == 'schedule') && github.ref == 'refs/heads/main' && env.latest_release != matrix.release + run: | + cosign sign -y --key env://COSIGN_PRIVATE_KEY ${{ env.registry }}/${{ env.distro }}-toolbox@${{ steps.push.outputs.digest }} + env: + COSIGN_EXPERIMENTAL: false + COSIGN_PRIVATE_KEY: ${{ secrets.COSIGN_PRIVATE_KEY }} + + - name: Sign container image (latest) + if: (github.event_name == 'push' || github.event_name == 'schedule') && github.ref == 'refs/heads/main' && env.latest_release == matrix.release + run: | + cosign sign -y --key env://COSIGN_PRIVATE_KEY ${{ env.registry }}/${{ env.distro }}-toolbox@${{ steps.push-latest.outputs.digest }} + env: + COSIGN_EXPERIMENTAL: false + COSIGN_PRIVATE_KEY: ${{ secrets.COSIGN_PRIVATE_KEY }} diff --git a/.github/workflows/fedora.yaml b/.github/workflows/fedora.yaml index fa041236..07eb68f9 100644 --- a/.github/workflows/fedora.yaml +++ b/.github/workflows/fedora.yaml @@ -85,6 +85,7 @@ jobs: - name: Push to Container Registry (latest tag) uses: redhat-actions/push-to-registry@v2 + id: push-latest if: (github.event_name == 'push' || github.event_name == 'schedule') && github.ref == 'refs/heads/main' && env.latest_release == matrix.release with: username: ${{ secrets.BOT_USERNAME }} @@ -92,3 +93,30 @@ jobs: image: ${{ env.distro }}-toolbox registry: ${{ env.registry }} tags: ${{ matrix.release }} latest + + - name: Login to Container Registry + uses: redhat-actions/podman-login@v1 + if: (github.event_name == 'push' || github.event_name == 'schedule') && github.ref == 'refs/heads/main' + with: + registry: ${{ env.registry }} + username: ${{ secrets.BOT_USERNAME }} + password: ${{ secrets.BOT_SECRET }} + + - uses: sigstore/cosign-installer@v3.3.0 + if: (github.event_name == 'push' || github.event_name == 'schedule') && github.ref == 'refs/heads/main' + + - name: Sign container image + if: (github.event_name == 'push' || github.event_name == 'schedule') && github.ref == 'refs/heads/main' && env.latest_release != matrix.release + run: | + cosign sign -y --key env://COSIGN_PRIVATE_KEY ${{ env.registry }}/${{ env.distro }}-toolbox@${{ steps.push.outputs.digest }} + env: + COSIGN_EXPERIMENTAL: false + COSIGN_PRIVATE_KEY: ${{ secrets.COSIGN_PRIVATE_KEY }} + + - name: Sign container image (latest) + if: (github.event_name == 'push' || github.event_name == 'schedule') && github.ref == 'refs/heads/main' && env.latest_release == matrix.release + run: | + cosign sign -y --key env://COSIGN_PRIVATE_KEY ${{ env.registry }}/${{ env.distro }}-toolbox@${{ steps.push-latest.outputs.digest }} + env: + COSIGN_EXPERIMENTAL: false + COSIGN_PRIVATE_KEY: ${{ secrets.COSIGN_PRIVATE_KEY }} diff --git a/.github/workflows/opensuse.yaml b/.github/workflows/opensuse.yaml index e2381561..79ede34f 100644 --- a/.github/workflows/opensuse.yaml +++ b/.github/workflows/opensuse.yaml @@ -85,6 +85,7 @@ jobs: - name: Push to Container Registry (latest tag) uses: redhat-actions/push-to-registry@v2 + id: push-latest if: (github.event_name == 'push' || github.event_name == 'schedule') && github.ref == 'refs/heads/main' && env.latest_release == matrix.release with: username: ${{ secrets.BOT_USERNAME }} @@ -92,3 +93,30 @@ jobs: image: ${{ env.distro }}-toolbox registry: ${{ env.registry }} tags: ${{ matrix.release }} latest + + - name: Login to Container Registry + uses: redhat-actions/podman-login@v1 + if: (github.event_name == 'push' || github.event_name == 'schedule') && github.ref == 'refs/heads/main' + with: + registry: ${{ env.registry }} + username: ${{ secrets.BOT_USERNAME }} + password: ${{ secrets.BOT_SECRET }} + + - uses: sigstore/cosign-installer@v3.3.0 + if: (github.event_name == 'push' || github.event_name == 'schedule') && github.ref == 'refs/heads/main' + + - name: Sign container image + if: (github.event_name == 'push' || github.event_name == 'schedule') && github.ref == 'refs/heads/main' && env.latest_release != matrix.release + run: | + cosign sign -y --key env://COSIGN_PRIVATE_KEY ${{ env.registry }}/${{ env.distro }}-toolbox@${{ steps.push.outputs.digest }} + env: + COSIGN_EXPERIMENTAL: false + COSIGN_PRIVATE_KEY: ${{ secrets.COSIGN_PRIVATE_KEY }} + + - name: Sign container image (latest) + if: (github.event_name == 'push' || github.event_name == 'schedule') && github.ref == 'refs/heads/main' && env.latest_release == matrix.release + run: | + cosign sign -y --key env://COSIGN_PRIVATE_KEY ${{ env.registry }}/${{ env.distro }}-toolbox@${{ steps.push-latest.outputs.digest }} + env: + COSIGN_EXPERIMENTAL: false + COSIGN_PRIVATE_KEY: ${{ secrets.COSIGN_PRIVATE_KEY }} diff --git a/.github/workflows/rhel.yaml b/.github/workflows/rhel.yaml index 4bfe20c8..f5ec6676 100644 --- a/.github/workflows/rhel.yaml +++ b/.github/workflows/rhel.yaml @@ -85,6 +85,7 @@ jobs: - name: Push to Container Registry (latest tag) uses: redhat-actions/push-to-registry@v2 + id: push-latest if: (github.event_name == 'push' || github.event_name == 'schedule') && github.ref == 'refs/heads/main' && env.latest_release == matrix.release with: username: ${{ secrets.BOT_USERNAME }} @@ -92,3 +93,30 @@ jobs: image: ${{ env.distro }}-toolbox registry: ${{ env.registry }} tags: ${{ matrix.release }} latest + + - name: Login to Container Registry + uses: redhat-actions/podman-login@v1 + if: (github.event_name == 'push' || github.event_name == 'schedule') && github.ref == 'refs/heads/main' + with: + registry: ${{ env.registry }} + username: ${{ secrets.BOT_USERNAME }} + password: ${{ secrets.BOT_SECRET }} + + - uses: sigstore/cosign-installer@v3.3.0 + if: (github.event_name == 'push' || github.event_name == 'schedule') && github.ref == 'refs/heads/main' + + - name: Sign container image + if: (github.event_name == 'push' || github.event_name == 'schedule') && github.ref == 'refs/heads/main' && env.latest_release != matrix.release + run: | + cosign sign -y --key env://COSIGN_PRIVATE_KEY ${{ env.registry }}/${{ env.distro }}-toolbox@${{ steps.push.outputs.digest }} + env: + COSIGN_EXPERIMENTAL: false + COSIGN_PRIVATE_KEY: ${{ secrets.COSIGN_PRIVATE_KEY }} + + - name: Sign container image (latest) + if: (github.event_name == 'push' || github.event_name == 'schedule') && github.ref == 'refs/heads/main' && env.latest_release == matrix.release + run: | + cosign sign -y --key env://COSIGN_PRIVATE_KEY ${{ env.registry }}/${{ env.distro }}-toolbox@${{ steps.push-latest.outputs.digest }} + env: + COSIGN_EXPERIMENTAL: false + COSIGN_PRIVATE_KEY: ${{ secrets.COSIGN_PRIVATE_KEY }} diff --git a/.github/workflows/rockylinux.yaml b/.github/workflows/rockylinux.yaml index db20e8f6..b8fcea82 100644 --- a/.github/workflows/rockylinux.yaml +++ b/.github/workflows/rockylinux.yaml @@ -85,6 +85,7 @@ jobs: - name: Push to Container Registry (latest tag) uses: redhat-actions/push-to-registry@v2 + id: push-latest if: (github.event_name == 'push' || github.event_name == 'schedule') && github.ref == 'refs/heads/main' && env.latest_release == matrix.release with: username: ${{ secrets.BOT_USERNAME }} @@ -92,3 +93,30 @@ jobs: image: ${{ env.distro }}-toolbox registry: ${{ env.registry }} tags: ${{ matrix.release }} latest + + - name: Login to Container Registry + uses: redhat-actions/podman-login@v1 + if: (github.event_name == 'push' || github.event_name == 'schedule') && github.ref == 'refs/heads/main' + with: + registry: ${{ env.registry }} + username: ${{ secrets.BOT_USERNAME }} + password: ${{ secrets.BOT_SECRET }} + + - uses: sigstore/cosign-installer@v3.3.0 + if: (github.event_name == 'push' || github.event_name == 'schedule') && github.ref == 'refs/heads/main' + + - name: Sign container image + if: (github.event_name == 'push' || github.event_name == 'schedule') && github.ref == 'refs/heads/main' && env.latest_release != matrix.release + run: | + cosign sign -y --key env://COSIGN_PRIVATE_KEY ${{ env.registry }}/${{ env.distro }}-toolbox@${{ steps.push.outputs.digest }} + env: + COSIGN_EXPERIMENTAL: false + COSIGN_PRIVATE_KEY: ${{ secrets.COSIGN_PRIVATE_KEY }} + + - name: Sign container image (latest) + if: (github.event_name == 'push' || github.event_name == 'schedule') && github.ref == 'refs/heads/main' && env.latest_release == matrix.release + run: | + cosign sign -y --key env://COSIGN_PRIVATE_KEY ${{ env.registry }}/${{ env.distro }}-toolbox@${{ steps.push-latest.outputs.digest }} + env: + COSIGN_EXPERIMENTAL: false + COSIGN_PRIVATE_KEY: ${{ secrets.COSIGN_PRIVATE_KEY }} diff --git a/.github/workflows/ubuntu.yaml b/.github/workflows/ubuntu.yaml index 8df99f10..e623c5d0 100644 --- a/.github/workflows/ubuntu.yaml +++ b/.github/workflows/ubuntu.yaml @@ -85,6 +85,7 @@ jobs: - name: Push to Container Registry (latest tag) uses: redhat-actions/push-to-registry@v2 + id: push-latest if: (github.event_name == 'push' || github.event_name == 'schedule') && github.ref == 'refs/heads/main' && env.latest_release == matrix.release with: username: ${{ secrets.BOT_USERNAME }} @@ -92,3 +93,30 @@ jobs: image: ${{ env.distro }}-toolbox registry: ${{ env.registry }} tags: ${{ matrix.release }} latest + + - name: Login to Container Registry + uses: redhat-actions/podman-login@v1 + if: (github.event_name == 'push' || github.event_name == 'schedule') && github.ref == 'refs/heads/main' + with: + registry: ${{ env.registry }} + username: ${{ secrets.BOT_USERNAME }} + password: ${{ secrets.BOT_SECRET }} + + - uses: sigstore/cosign-installer@v3.3.0 + if: (github.event_name == 'push' || github.event_name == 'schedule') && github.ref == 'refs/heads/main' + + - name: Sign container image + if: (github.event_name == 'push' || github.event_name == 'schedule') && github.ref == 'refs/heads/main' && env.latest_release != matrix.release + run: | + cosign sign -y --key env://COSIGN_PRIVATE_KEY ${{ env.registry }}/${{ env.distro }}-toolbox@${{ steps.push.outputs.digest }} + env: + COSIGN_EXPERIMENTAL: false + COSIGN_PRIVATE_KEY: ${{ secrets.COSIGN_PRIVATE_KEY }} + + - name: Sign container image (latest) + if: (github.event_name == 'push' || github.event_name == 'schedule') && github.ref == 'refs/heads/main' && env.latest_release == matrix.release + run: | + cosign sign -y --key env://COSIGN_PRIVATE_KEY ${{ env.registry }}/${{ env.distro }}-toolbox@${{ steps.push-latest.outputs.digest }} + env: + COSIGN_EXPERIMENTAL: false + COSIGN_PRIVATE_KEY: ${{ secrets.COSIGN_PRIVATE_KEY }} From 4d7d201f157d83b2f7709ecfb9cdcb5012c2dec4 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Timoth=C3=A9e=20Ravier?= Date: Mon, 18 Dec 2023 18:41:00 +0100 Subject: [PATCH 2/2] Add pubkey and instructions for cosign/sigstore signatures Fixes: https://github.com/toolbx-images/images/issues/105 --- README.md | 52 +++++++++++++++++++++++++++++++++++++++ quay.io-toolbx-images.pub | 4 +++ 2 files changed, 56 insertions(+) create mode 100644 quay.io-toolbx-images.pub diff --git a/README.md b/README.md index 862385e4..7081cf25 100644 --- a/README.md +++ b/README.md @@ -158,6 +158,58 @@ directly use the commands below: $ toolbox enter ubuntu-toolbox-16.04 ``` +## Verifying sigstore container signatures with podman + +How to configure sigstore signature verification in podman: + +``` +$ sudo mkdir /etc/pki/containers +$ curl -O "https://raw.githubusercontent.com/toolbox-images/images/main/quay.io-toolbx-images.pub" +$ sudo cp quay.io-toolbx-images.pub /etc/pki/containers/ +$ sudo restorecon -RFv /etc/pki/containers + +$ cat /etc/containers/registries.d/quay.io-toolbx-images.yaml +docker: + quay.io/toolbx-images: + use-sigstore-attachments: true +$ sudo restorecon -RFv /etc/containers/registries.d/quay.io-toolbx-images.yaml + +$ cat /etc/containers/policy.json +{ + "default": [ + { + "type": "reject" + } + ], + "transports": { + "docker": { + ... + "quay.io/toolbx-images": [ + { + "type": "sigstoreSigned", + "keyPath": "/etc/pki/containers/quay.io-toolbx-images.pub", + "signedIdentity": { + "type": "matchRepository" + } + } + ], + ... + "": [ + { + "type": "insecureAcceptAnything" + } + ] + }, + ... + } +} +... +``` + +## License + +See [COPYING](COPYING). + [toolbx]: https://containertoolbx.org [GitHub]: https://github.com/containers/toolbox [containers/toolbox#1019]: https://github.com/containers/toolbox/issues/1019 diff --git a/quay.io-toolbx-images.pub b/quay.io-toolbx-images.pub new file mode 100644 index 00000000..7c81d2c1 --- /dev/null +++ b/quay.io-toolbx-images.pub @@ -0,0 +1,4 @@ +-----BEGIN PUBLIC KEY----- +MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEQr63Nsc66mA3oGMArrQPm8/AkuTO +K+ZrK3WCWzx00LW5K1qu+BS3U4eyMmXaFKIsX69PEFZWzXKy9psum8wj9Q== +-----END PUBLIC KEY-----