openshift/openshift-docs
1
0
Fork 0
mirror of https://github.com/openshift/openshift-docs.git synced 2026-02-05 12:46:18 +01:00
Code Issues Releases Activity
Files
1ff87978a6c40ee820ccf36edb67060c25f78d59
openshift-docs/modules/microshift-verify-container-signatures-sigstore.adoc

89 lines
3.2 KiB
Plaintext
Raw Normal View History

OSDOCS-13228: container image sig checks disconnected MicroShift
2025-08-14 07:16:53 -04:00
// Module included in the following assemblies:
//
// * microshift/microshift_auth_security/microshift-verify-container-signatures.adoc
:_mod-docs-content-type: PROCEDURE
[id="microshift-verify-container-signatures-sigstore_{context}"]
= Verifying container signatures using sigstore
Verify container signatures for {microshift-short} by configuring the container runtime to use sigstore. The container signature verification uses the public key from the Red Hat keypair when signing the images. To use sigstore, edit the default `/etc/containers/policy.json` file that is installed as part of the container runtime package.
You can access Red Hat public keys at the following link:
* link:https://access.redhat.com/security/team/key[Product Signing Keys]
You must use the release key 3 for verifying {microshift-short} container signatures.
.Prerequisites
* You have admin access to the {microshift-short} host.
* You installed {microshift-short}.
.Procedure
. Download the relevant public key and save it as `/etc/containers/RedHat_ReleaseKey3.pub` by running the following command:
+
[source,terminal]
----
$ sudo curl -sL https://access.redhat.com/security/data/63405576.txt -o /etc/containers/RedHat_ReleaseKey3.pub
----
. To configure the container runtime to verify images from Red Hat sources, edit the `/etc/containers/policy.json` file to contain the following configuration:
+
.Example policy JSON file
[source,json]
----
{
"default": [
{
"type": "reject"
}
],
"transports": {
"docker": {
"quay.io/openshift-release-dev": [{
"type": "sigstoreSigned",
"keyPath": "/etc/containers/RedHat_ReleaseKey3.pub",
"signedIdentity": {
"type": "matchRepoDigestOrExact"
}
}],
"registry.redhat.io": [{
"type": "sigstoreSigned",
"keyPath": "/etc/containers/RedHat_ReleaseKey3.pub",
"signedIdentity": {
"type": "matchRepoDigestOrExact"
}
}]
}
}
}
----
Fixing some typos
2025-10-01 15:16:45 -04:00
. Configure Red Hat remote registries to use sigstore attachments when pulling images to the local storage, by editing the `/etc/containers/registries.d/registry.redhat.io.yaml` file to contain the following configuration:
OSDOCS-13228: container image sig checks disconnected MicroShift
2025-08-14 07:16:53 -04:00
+
[source,terminal]
----
$ cat /etc/containers/registries.d/registry.redhat.io.yaml
docker:
registry.redhat.io:
use-sigstore-attachments: true
----
. Configure Red Hat remote registries to use sigstore attachments when pulling images to the local storage, by editing the `/etc/containers/registries.d/registry.quay.io.yaml` file to contain the following configuration:
+
[source,terminal]
----
$ cat /etc/containers/registries.d/quay.io.yaml
docker:
quay.io/openshift-release-dev:
use-sigstore-attachments: true
----
. Create user-specific registry configuration files if your use case requires signature verification for those image sources. You can use the example here to start with and add your own requirements.
.Next steps
. If you are using a mirror registry, enable sigstore attachments.
. Otherwise, proceed to wiping the local container storage clean.
Copy Permalink