search

JasonN3 / build-container-installer

Creates an ISO for installing a container image as an OS
GNU General Public License v3.0
63 stars 9 forks source link

Add image signing #123

Closed RoyalOughtness closed 5 months ago

RoyalOughtness commented 5 months ago

Signing this image would allow for verified updates to build-container-installer

JasonN3 commented 5 months ago

All release builds after this will be signed with https://github.com/JasonN3/build-container-installer/blob/main/cosign.pub Builds on various branches won't be signed since those aren't meant to be used unless you need a specific feature that's still under development.

RoyalOughtness commented 1 month ago

@JasonN3 FYI this stopped working sometime recently:

Trying to pull ghcr.io/jasonn3/build-container-installer:latest...
Error: Source image rejected: A signature was required, but no signature exists

I have this in my policy.json:

      "ghcr.io/jasonn3": [
        {
          "type": "sigstoreSigned",
          "keyPath": "/usr/etc/pki/containers/build-container-installer.pub",
          "signedIdentity": {
            "type": "matchRepository"
          }
        }
      ],

and this in /usr/etc/pki/containers/build-container-installer.pub:

-----BEGIN PUBLIC KEY-----
MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEY4ljyIhI2w9DOptB4WT20S+K5ts3
GJTEKRkXmIYEXGfyKpJMdlGCWeg2kOam5dNhWKXXl46d3eBBo9S53TPpyQ==
-----END PUBLIC KEY-----