Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Procedure to make ostree-image-signed work as expected #35

Open
xlionjuan opened this issue Nov 4, 2024 · 2 comments
Open

Procedure to make ostree-image-signed work as expected #35

xlionjuan opened this issue Nov 4, 2024 · 2 comments

Comments

@xlionjuan
Copy link
Contributor

According to /etc/containers/policy.json, only, ghcr.io/ublue-os and some RedHat sources will verify the signing key of the containers, if I didn't manually add my repo to and my pubkey to it, it will just proceed it, I tried modify policy.json and add my pubkey to system, rpm-ostree will return following error:

error: Creating importer: Failed to invoke skopeo proxy method OpenImage: remote error: A signature was required, but no signature exists

It didn't say it is incorrect, it said it isn't exists, is is because I push my image to Docker Hub?

But when I manually run cosign verify, it said my container is valid.

@befanyt
Copy link

befanyt commented Nov 27, 2024

Was just playing with this myself. I took a look at your https://github.com/xlionjuan/bluefin-dx/ repo. Try the following steps to make this work.

Put a copy of your public key in /etc/pki/containers/mypublickey.pub that is the same one you have in your repo called cosign.pub

Point to it in /etc/containers/policy.json

      "registry.hub.docker.com/xlionjuan": [
        {
          "type": "sigstoreSigned",
          "keyPath": "/etc/pki/containers/mypublickey.pub",
          "signedIdentity": {
            "type": "matchRepository"
          }
        }

Add a yaml file under /etc/containers/registries.d/xlionjuan.yaml

docker:
  registry.hub.docker.com/xlionjuan:
    use-sigstore-attachments: true

Now it should be able to find the key. I maybe made some assumption mistakes, but I hope you get the idea to make this work!

@xlionjuan
Copy link
Contributor Author

Thanks, though I understand what you're saying, but I'm kinda give up, because I know how to protect my online and GitHub accounts, it should secure enough for me, I prefer to wait skopeo supports Sigstore's OIDC Token signing.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants