No Description

Fabian Peter Hammerle 1663a1e7e7 added fphammerle/anoadragon453-matrix-reminder-bot:0.2.1-armv7 (untested) 1 week ago
docker.io 1663a1e7e7 added fphammerle/anoadragon453-matrix-reminder-bot:0.2.1-armv7 (untested) 1 week ago
quay.io 1663a1e7e7 added fphammerle/anoadragon453-matrix-reminder-bot:0.2.1-armv7 (untested) 1 week ago
.gitattributes 141ed7fe36 git diff: use `git --verify` to textconv signature-* files 9 months ago
README.md 9242f3e8bd readme policy.json: fix placeholders for keyPath 9 months ago

README.md

Personal Container Image Signature Store

Setup

  1. configure signature store location in /etc/containers/registries.d/fphammerle.yaml:

    docker:
    docker.io/fphammerle:
    sigstore: https://raw.githubusercontent.com/fphammerle/container-image-sigstore/master/docker.io
    quay.io/fphammerle:
    sigstore: https://raw.githubusercontent.com/fphammerle/container-image-sigstore/master/quay.io
    
    1. download key sh $ gpg --recv-key 8D2902FE7DF47DDEDA2802F9456B9A0399A5DA2F $ gpg --export --armor --output /some/where/pgp/fphammerle 8D2902FE7DF47DDEDA2802F9456B9A0399A5DA2F
  2. enable verification in policy.json:

    {
    "default": [
    {
      "type": "reject"
    }
    ],
    "transports": {
    "docker": {
      "docker.io/fphammerle": [
        {
          "type": "signedBy",
          "keyType": "GPGKeys",
          "keyPath": "/some/where/pgp/fphammerle",
          "signedIdentity": {"type": "matchRepoDigestOrExact"}
        }
      ],
      "quay.io/fphammerle": [
        {
          "type": "signedBy",
          "keyType": "GPGKeys",
          "keyPath": "/some/where/pgp/fphammerle",
          "signedIdentity": {"type": "matchRepoDigestOrExact"}
        }
      ]
    }
    }
    }
    

    Verify with Podman

    $ podman image trust show
    default               reject
    docker.io/fphammerle  signedBy  fabian@hammerle.me  https://raw.githubusercontent.com/fphammerle/container-image-sigstore/master/docker.io
    quay.io/fphammerle    signedBy  fabian@hammerle.me  https://raw.githubusercontent.com/fphammerle/container-image-sigstore/master/quay.io
    $ podman --log-level debug run --rm quay.io/fphammerle/systemctl-mqtt:0.5.0-amd64
    [...]
    DEBU[0000] Using registries.d directory /etc/containers/registries.d for sigstore configuration
    DEBU[0000]  Using "docker" namespace quay.io/fphammerle
    DEBU[0000]   Using https://raw.githubusercontent.com/fphammerle/container-image-sigstore/master/quay.io
    [...]
    DEBU[0002] GET https://raw.githubusercontent.com/fphammerle/container-image-sigstore/master/quay.io/fphammerle/systemctl-mqtt@sha256=34dcb878dbd66315de6fbf97ceb29e8fec549b7269c6c828c4c889a54a091f14/signature-1
    DEBU[0002] GET https://raw.githubusercontent.com/fphammerle/container-image-sigstore/master/quay.io/fphammerle/systemctl-mqtt@sha256=34dcb878dbd66315de6fbf97ceb29e8fec549b7269c6c828c4c889a54a091f14/signature-2
    DEBU[0002]  Requirement 0: allowed
    DEBU[0002] Overall: allowed
    [...]
    DEBU[0004] Starting container 4e46cbe4e982ee84bcff54092146fb0442bb346e451cfb14e2e7f491bc886b88 with command [tini -- systemctl-mqtt --help]
    [...]
    $ podman --log-level debug run --rm quay.io/fphammerle/systemctl-mqtt:0.5.0-amd64-unsigned
    [...]
    DEBU[0000] Using registries.d directory /etc/containers/registries.d for sigstore configuration
    DEBU[0000]  Using "docker" namespace quay.io/fphammerle
    DEBU[0000]   Using https://raw.githubusercontent.com/fphammerle/container-image-sigstore/master/quay.io
    [...]
    DEBU[0002] GET https://raw.githubusercontent.com/fphammerle/container-image-sigstore/master/quay.io/fphammerle/systemctl-mqtt@sha256=34dcb878dbd66315de6fbf97ceb29e8fec549b7269c6c828c4c889a54a091f14/signature-1
    DEBU[0002] GET https://raw.githubusercontent.com/fphammerle/container-image-sigstore/master/quay.io/fphammerle/systemctl-mqtt@sha256=34dcb878dbd66315de6fbf97ceb29e8fec549b7269c6c828c4c889a54a091f14/signature-2
    DEBU[0002] Requirement 0: denied, done
    DEBU[0002] Error pulling image ref //quay.io/fphammerle/systemctl-mqtt:0.5.0-amd64-unsigned: Source image rejected: Signature for identity quay.io/fphammerle/systemctl-mqtt:0.5.0-amd64 is not accepted
    Signature for identity quay.io/fphammerle/systemctl-mqtt:0.5.0-amd64 is not accepted
    Error: unable to pull quay.io/fphammerle/systemctl-mqtt:0.5.0-amd64-unsigned: Source image rejected: Signature for identity quay.io/fphammerle/systemctl-mqtt:0.5.0-amd64 is not accepted
    

References