|
@@ -1,3 +1,78 @@
|
|
|
+# Personal Container Image Signature Store
|
|
|
+
|
|
|
+## Setup
|
|
|
+
|
|
|
+1. configure signature store location in `/etc/containers/registries.d/fphammerle.yaml`:
|
|
|
+```yaml
|
|
|
+docker:
|
|
|
+ quay.io/fphammerle:
|
|
|
+ sigstore: https://raw.githubusercontent.com/fphammerle/container-image-sigstore/master/quay.io
|
|
|
+```
|
|
|
+
|
|
|
+2. download key
|
|
|
+```sh
|
|
|
+$ gpg --recv-key 8D2902FE7DF47DDEDA2802F9456B9A0399A5DA2F
|
|
|
+$ gpg --export --armor --output /some/where/pgp/fphammerle 8D2902FE7DF47DDEDA2802F9456B9A0399A5DA2F
|
|
|
+```
|
|
|
+
|
|
|
+3. enable verification in `policy.json`:
|
|
|
+```json
|
|
|
+{
|
|
|
+ "default": [
|
|
|
+ {
|
|
|
+ "type": "reject"
|
|
|
+ }
|
|
|
+ ],
|
|
|
+ "transports": {
|
|
|
+ "docker": {
|
|
|
+ "quay.io/fphammerle": [
|
|
|
+ {
|
|
|
+ "type": "signedBy",
|
|
|
+ "keyType": "GPGKeys",
|
|
|
+ "keyPath": "/some/where/pgp/fphammerle",
|
|
|
+ "signedIdentity": {
|
|
|
+ "type": "matchRepoDigestOrExact"
|
|
|
+ }
|
|
|
+ }
|
|
|
+ ]
|
|
|
+ }
|
|
|
+ }
|
|
|
+}
|
|
|
+```
|
|
|
+
|
|
|
+### Verify with Podman
|
|
|
+
|
|
|
+```sh
|
|
|
+$ podman image trust show
|
|
|
+default reject
|
|
|
+quay.io/fphammerle signedBy fabian@hammerle.me https://raw.githubusercontent.com/fphammerle/container-image-sigstore/master/quay.io
|
|
|
+$ podman --log-level debug run --rm quay.io/fphammerle/systemctl-mqtt:0.5.0-amd64
|
|
|
+[...]
|
|
|
+DEBU[0000] Using registries.d directory /etc/containers/registries.d for sigstore configuration
|
|
|
+DEBU[0000] Using "docker" namespace quay.io/fphammerle
|
|
|
+DEBU[0000] Using https://raw.githubusercontent.com/fphammerle/container-image-sigstore/master/quay.io
|
|
|
+[...]
|
|
|
+DEBU[0002] GET https://raw.githubusercontent.com/fphammerle/container-image-sigstore/master/quay.io/fphammerle/systemctl-mqtt@sha256=34dcb878dbd66315de6fbf97ceb29e8fec549b7269c6c828c4c889a54a091f14/signature-1
|
|
|
+DEBU[0002] GET https://raw.githubusercontent.com/fphammerle/container-image-sigstore/master/quay.io/fphammerle/systemctl-mqtt@sha256=34dcb878dbd66315de6fbf97ceb29e8fec549b7269c6c828c4c889a54a091f14/signature-2
|
|
|
+DEBU[0002] Requirement 0: allowed
|
|
|
+DEBU[0002] Overall: allowed
|
|
|
+[...]
|
|
|
+DEBU[0004] Starting container 4e46cbe4e982ee84bcff54092146fb0442bb346e451cfb14e2e7f491bc886b88 with command [tini -- systemctl-mqtt --help]
|
|
|
+[...]
|
|
|
+$ podman --log-level debug run --rm quay.io/fphammerle/systemctl-mqtt:0.5.0-amd64-unsigned
|
|
|
+[...]
|
|
|
+DEBU[0000] Using registries.d directory /etc/containers/registries.d for sigstore configuration
|
|
|
+DEBU[0000] Using "docker" namespace quay.io/fphammerle
|
|
|
+DEBU[0000] Using https://raw.githubusercontent.com/fphammerle/container-image-sigstore/master/quay.io
|
|
|
+[...]
|
|
|
+DEBU[0002] GET https://raw.githubusercontent.com/fphammerle/container-image-sigstore/master/quay.io/fphammerle/systemctl-mqtt@sha256=34dcb878dbd66315de6fbf97ceb29e8fec549b7269c6c828c4c889a54a091f14/signature-1
|
|
|
+DEBU[0002] GET https://raw.githubusercontent.com/fphammerle/container-image-sigstore/master/quay.io/fphammerle/systemctl-mqtt@sha256=34dcb878dbd66315de6fbf97ceb29e8fec549b7269c6c828c4c889a54a091f14/signature-2
|
|
|
+DEBU[0002] Requirement 0: denied, done
|
|
|
+DEBU[0002] Error pulling image ref //quay.io/fphammerle/systemctl-mqtt:0.5.0-amd64-unsigned: Source image rejected: Signature for identity quay.io/fphammerle/systemctl-mqtt:0.5.0-amd64 is not accepted
|
|
|
+ Signature for identity quay.io/fphammerle/systemctl-mqtt:0.5.0-amd64 is not accepted
|
|
|
+Error: unable to pull quay.io/fphammerle/systemctl-mqtt:0.5.0-amd64-unsigned: Source image rejected: Signature for identity quay.io/fphammerle/systemctl-mqtt:0.5.0-amd64 is not accepted
|
|
|
+```
|
|
|
+
|
|
|
## References
|
|
|
|
|
|
* [containers/registries.d: sigstore configuration](https://github.com/containers/image/blob/v5.5.2/docs/containers-registries.d.5.md#individual-configuration-sections)
|