Fabian Peter Hammerle a0fe0ce06d add fphammerle/wireless-sensor-mqtt:1.0.0-armv7 | 1 周之前 | |
---|---|---|
docker.io | 1 周之前 | |
quay.io | 1 周之前 | |
.gitattributes | 3 年之前 | |
README.md | 3 年之前 |
configure signature store location in /etc/containers/registries.d/fphammerle.yaml
:
docker:
docker.io/fphammerle:
sigstore: https://raw.githubusercontent.com/fphammerle/container-image-sigstore/master/docker.io
quay.io/fphammerle:
sigstore: https://raw.githubusercontent.com/fphammerle/container-image-sigstore/master/quay.io
download key
$ gpg --recv-key 8D2902FE7DF47DDEDA2802F9456B9A0399A5DA2F
$ gpg --export --armor --output /some/where/pgp/fphammerle 8D2902FE7DF47DDEDA2802F9456B9A0399A5DA2F
enable verification in policy.json
:
{
"default": [
{
"type": "reject"
}
],
"transports": {
"docker": {
"docker.io/fphammerle": [
{
"type": "signedBy",
"keyType": "GPGKeys",
"keyPath": "/some/where/pgp/fphammerle",
"signedIdentity": {"type": "matchRepoDigestOrExact"}
}
],
"quay.io/fphammerle": [
{
"type": "signedBy",
"keyType": "GPGKeys",
"keyPath": "/some/where/pgp/fphammerle",
"signedIdentity": {"type": "matchRepoDigestOrExact"}
}
]
}
}
}
$ podman image trust show
default reject
docker.io/fphammerle signedBy fabian@hammerle.me https://raw.githubusercontent.com/fphammerle/container-image-sigstore/master/docker.io
quay.io/fphammerle signedBy fabian@hammerle.me https://raw.githubusercontent.com/fphammerle/container-image-sigstore/master/quay.io
$ podman --log-level debug run --rm quay.io/fphammerle/systemctl-mqtt:0.5.0-amd64
[...]
DEBU[0000] Using registries.d directory /etc/containers/registries.d for sigstore configuration
DEBU[0000] Using "docker" namespace quay.io/fphammerle
DEBU[0000] Using https://raw.githubusercontent.com/fphammerle/container-image-sigstore/master/quay.io
[...]
DEBU[0002] GET https://raw.githubusercontent.com/fphammerle/container-image-sigstore/master/quay.io/fphammerle/systemctl-mqtt@sha256=34dcb878dbd66315de6fbf97ceb29e8fec549b7269c6c828c4c889a54a091f14/signature-1
DEBU[0002] GET https://raw.githubusercontent.com/fphammerle/container-image-sigstore/master/quay.io/fphammerle/systemctl-mqtt@sha256=34dcb878dbd66315de6fbf97ceb29e8fec549b7269c6c828c4c889a54a091f14/signature-2
DEBU[0002] Requirement 0: allowed
DEBU[0002] Overall: allowed
[...]
DEBU[0004] Starting container 4e46cbe4e982ee84bcff54092146fb0442bb346e451cfb14e2e7f491bc886b88 with command [tini -- systemctl-mqtt --help]
[...]
$ podman --log-level debug run --rm quay.io/fphammerle/systemctl-mqtt:0.5.0-amd64-unsigned
[...]
DEBU[0000] Using registries.d directory /etc/containers/registries.d for sigstore configuration
DEBU[0000] Using "docker" namespace quay.io/fphammerle
DEBU[0000] Using https://raw.githubusercontent.com/fphammerle/container-image-sigstore/master/quay.io
[...]
DEBU[0002] GET https://raw.githubusercontent.com/fphammerle/container-image-sigstore/master/quay.io/fphammerle/systemctl-mqtt@sha256=34dcb878dbd66315de6fbf97ceb29e8fec549b7269c6c828c4c889a54a091f14/signature-1
DEBU[0002] GET https://raw.githubusercontent.com/fphammerle/container-image-sigstore/master/quay.io/fphammerle/systemctl-mqtt@sha256=34dcb878dbd66315de6fbf97ceb29e8fec549b7269c6c828c4c889a54a091f14/signature-2
DEBU[0002] Requirement 0: denied, done
DEBU[0002] Error pulling image ref //quay.io/fphammerle/systemctl-mqtt:0.5.0-amd64-unsigned: Source image rejected: Signature for identity quay.io/fphammerle/systemctl-mqtt:0.5.0-amd64 is not accepted
Signature for identity quay.io/fphammerle/systemctl-mqtt:0.5.0-amd64 is not accepted
Error: unable to pull quay.io/fphammerle/systemctl-mqtt:0.5.0-amd64-unsigned: Source image rejected: Signature for identity quay.io/fphammerle/systemctl-mqtt:0.5.0-amd64 is not accepted
signedBy
configurationpolicy.json