https://github.com/fphammerle/container-image-sigstore
Personal Container Image Signature Store for Podman & Skopeo
https://github.com/fphammerle/container-image-sigstore
container-image podman skopeo
Last synced: 29 days ago
JSON representation
Personal Container Image Signature Store for Podman & Skopeo
- Host: GitHub
- URL: https://github.com/fphammerle/container-image-sigstore
- Owner: fphammerle
- Created: 2021-02-10T09:20:31.000Z (over 4 years ago)
- Default Branch: master
- Last Pushed: 2025-01-04T05:11:24.000Z (9 months ago)
- Last Synced: 2025-01-12T10:26:24.846Z (9 months ago)
- Topics: container-image, podman, skopeo
- Homepage:
- Size: 1.06 MB
- Stars: 0
- Watchers: 3
- Forks: 0
- Open Issues: 0
-
Metadata Files:
- Readme: README.md
Awesome Lists containing this project
README
# Personal Container Image Signature Store
## Setup
1. configure signature store location in `/etc/containers/registries.d/fphammerle.yaml`:
```yaml
docker:
docker.io/fphammerle:
sigstore: https://raw.githubusercontent.com/fphammerle/container-image-sigstore/master/docker.io
quay.io/fphammerle:
sigstore: https://raw.githubusercontent.com/fphammerle/container-image-sigstore/master/quay.io
```
2. download key
```sh
$ gpg --recv-key 8D2902FE7DF47DDEDA2802F9456B9A0399A5DA2F
$ gpg --export --armor --output /some/where/pgp/fphammerle 8D2902FE7DF47DDEDA2802F9456B9A0399A5DA2F
```
3. enable verification in `policy.json`:
```json
{
"default": [
{
"type": "reject"
}
],
"transports": {
"docker": {
"docker.io/fphammerle": [
{
"type": "signedBy",
"keyType": "GPGKeys",
"keyPath": "/some/where/pgp/fphammerle",
"signedIdentity": {"type": "matchRepoDigestOrExact"}
}
],
"quay.io/fphammerle": [
{
"type": "signedBy",
"keyType": "GPGKeys",
"keyPath": "/some/where/pgp/fphammerle",
"signedIdentity": {"type": "matchRepoDigestOrExact"}
}
]
}
}
}
```
### Verify with Podman
```sh
$ podman image trust show
default reject
docker.io/fphammerle signedBy fabian@hammerle.me https://raw.githubusercontent.com/fphammerle/container-image-sigstore/master/docker.io
quay.io/fphammerle signedBy fabian@hammerle.me https://raw.githubusercontent.com/fphammerle/container-image-sigstore/master/quay.io
$ podman --log-level debug run --rm quay.io/fphammerle/systemctl-mqtt:0.5.0-amd64
[...]
DEBU[0000] Using registries.d directory /etc/containers/registries.d for sigstore configuration
DEBU[0000] Using "docker" namespace quay.io/fphammerle
DEBU[0000] Using https://raw.githubusercontent.com/fphammerle/container-image-sigstore/master/quay.io
[...]
DEBU[0002] GET https://raw.githubusercontent.com/fphammerle/container-image-sigstore/master/quay.io/fphammerle/systemctl-mqtt@sha256=34dcb878dbd66315de6fbf97ceb29e8fec549b7269c6c828c4c889a54a091f14/signature-1
DEBU[0002] GET https://raw.githubusercontent.com/fphammerle/container-image-sigstore/master/quay.io/fphammerle/systemctl-mqtt@sha256=34dcb878dbd66315de6fbf97ceb29e8fec549b7269c6c828c4c889a54a091f14/signature-2
DEBU[0002] Requirement 0: allowed
DEBU[0002] Overall: allowed
[...]
DEBU[0004] Starting container 4e46cbe4e982ee84bcff54092146fb0442bb346e451cfb14e2e7f491bc886b88 with command [tini -- systemctl-mqtt --help]
[...]
$ podman --log-level debug run --rm quay.io/fphammerle/systemctl-mqtt:0.5.0-amd64-unsigned
[...]
DEBU[0000] Using registries.d directory /etc/containers/registries.d for sigstore configuration
DEBU[0000] Using "docker" namespace quay.io/fphammerle
DEBU[0000] Using https://raw.githubusercontent.com/fphammerle/container-image-sigstore/master/quay.io
[...]
DEBU[0002] GET https://raw.githubusercontent.com/fphammerle/container-image-sigstore/master/quay.io/fphammerle/systemctl-mqtt@sha256=34dcb878dbd66315de6fbf97ceb29e8fec549b7269c6c828c4c889a54a091f14/signature-1
DEBU[0002] GET https://raw.githubusercontent.com/fphammerle/container-image-sigstore/master/quay.io/fphammerle/systemctl-mqtt@sha256=34dcb878dbd66315de6fbf97ceb29e8fec549b7269c6c828c4c889a54a091f14/signature-2
DEBU[0002] Requirement 0: denied, done
DEBU[0002] Error pulling image ref //quay.io/fphammerle/systemctl-mqtt:0.5.0-amd64-unsigned: Source image rejected: Signature for identity quay.io/fphammerle/systemctl-mqtt:0.5.0-amd64 is not accepted
Signature for identity quay.io/fphammerle/systemctl-mqtt:0.5.0-amd64 is not accepted
Error: unable to pull quay.io/fphammerle/systemctl-mqtt:0.5.0-amd64-unsigned: Source image rejected: Signature for identity quay.io/fphammerle/systemctl-mqtt:0.5.0-amd64 is not accepted
```
## References
* [containers/registries.d: sigstore configuration](https://github.com/containers/image/blob/v5.5.2/docs/containers-registries.d.5.md#individual-configuration-sections)
* [containers/policy.json: `signedBy` configuration](https://github.com/containers/image/blob/v5.5.2/docs/containers-policy.json.5.md#signedby)
* [containers/image: Signature access protocols](https://github.com/containers/image/blob/v5.5.2/docs/signature-protocols.md)
* [How to sign and distribute container images using Podman](https://github.com/containers/podman/blob/v2.0.6/docs/tutorials/image_signing.md)
* [Verifying signatures of Red Hat container images](https://developers.redhat.com/blog/2019/10/29/verifying-signatures-of-red-hat-container-images/)
([archived](https://web.archive.org/web/20210210072204/https://developers.redhat.com/blog/2019/10/29/verifying-signatures-of-red-hat-container-images/))
* [Red Hat: Signing Container Images](https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux_atomic_host/7/html/managing_containers/signing_container_images)
* [Talk: A Docker image walks into a Notary](https://www.youtube.com/watch?v=JvjdfQC8jxM)
* [Podman does not support Notary](https://github.com/containers/podman/issues/8006#issuecomment-707986937)
* [Skopeo does not support Notary](https://github.com/containers/skopeo/issues/850#issuecomment-599436686)
* [Rui Marinho's Yubikey Handbook: Docker Content Trust](https://ruimarinho.gitbooks.io/yubikey-handbook/content/docker-content-trust/pushing-signed-image/generating-the-root-key.html)
* [CRI-O supports `policy.json`](https://github.com/cri-o/cri-o/blob/v1.20.0/docs/crio.8.md#files)
* [IBM: The top three ways to protect cloud native projects](https://www.ibm.com/blogs/research/2020/11/cloud-native-security/)
([archived](https://web.archive.org/web/20210210135130/https://www.ibm.com/blogs/research/2020/11/cloud-native-security/))