mirror of
https://github.com/openshift/openshift-docs.git
synced 2026-02-05 12:46:18 +01:00
89 lines
3.2 KiB
Plaintext
89 lines
3.2 KiB
Plaintext
// Module included in the following assemblies:
|
|
//
|
|
// * microshift/microshift_auth_security/microshift-verify-container-signatures.adoc
|
|
|
|
:_mod-docs-content-type: PROCEDURE
|
|
[id="microshift-verify-container-signatures-sigstore_{context}"]
|
|
= Verifying container signatures using sigstore
|
|
|
|
Verify container signatures for {microshift-short} by configuring the container runtime to use sigstore. The container signature verification uses the public key from the Red Hat keypair when signing the images. To use sigstore, edit the default `/etc/containers/policy.json` file that is installed as part of the container runtime package.
|
|
|
|
You can access Red Hat public keys at the following link:
|
|
|
|
* link:https://access.redhat.com/security/team/key[Product Signing Keys]
|
|
|
|
You must use the release key 3 for verifying {microshift-short} container signatures.
|
|
|
|
.Prerequisites
|
|
|
|
* You have admin access to the {microshift-short} host.
|
|
* You installed {microshift-short}.
|
|
|
|
.Procedure
|
|
|
|
. Download the relevant public key and save it as `/etc/containers/RedHat_ReleaseKey3.pub` by running the following command:
|
|
+
|
|
[source,terminal]
|
|
----
|
|
$ sudo curl -sL https://access.redhat.com/security/data/63405576.txt -o /etc/containers/RedHat_ReleaseKey3.pub
|
|
----
|
|
|
|
. To configure the container runtime to verify images from Red Hat sources, edit the `/etc/containers/policy.json` file to contain the following configuration:
|
|
+
|
|
.Example policy JSON file
|
|
[source,json]
|
|
----
|
|
{
|
|
"default": [
|
|
{
|
|
"type": "reject"
|
|
}
|
|
],
|
|
"transports": {
|
|
"docker": {
|
|
"quay.io/openshift-release-dev": [{
|
|
"type": "sigstoreSigned",
|
|
"keyPath": "/etc/containers/RedHat_ReleaseKey3.pub",
|
|
"signedIdentity": {
|
|
"type": "matchRepoDigestOrExact"
|
|
}
|
|
}],
|
|
"registry.redhat.io": [{
|
|
"type": "sigstoreSigned",
|
|
"keyPath": "/etc/containers/RedHat_ReleaseKey3.pub",
|
|
"signedIdentity": {
|
|
"type": "matchRepoDigestOrExact"
|
|
}
|
|
}]
|
|
}
|
|
}
|
|
}
|
|
----
|
|
|
|
. Configure Red Hat remote registries to use sigstore attachments when pulling images to the local storage, by editing the `/etc/containers/registries.d/registry.redhat.io.yaml` file to contain the following configuration:
|
|
+
|
|
[source,terminal]
|
|
----
|
|
$ cat /etc/containers/registries.d/registry.redhat.io.yaml
|
|
docker:
|
|
registry.redhat.io:
|
|
use-sigstore-attachments: true
|
|
----
|
|
|
|
. Configure Red Hat remote registries to use sigstore attachments when pulling images to the local storage, by editing the `/etc/containers/registries.d/registry.quay.io.yaml` file to contain the following configuration:
|
|
+
|
|
[source,terminal]
|
|
----
|
|
$ cat /etc/containers/registries.d/quay.io.yaml
|
|
docker:
|
|
quay.io/openshift-release-dev:
|
|
use-sigstore-attachments: true
|
|
----
|
|
|
|
. Create user-specific registry configuration files if your use case requires signature verification for those image sources. You can use the example here to start with and add your own requirements.
|
|
|
|
.Next steps
|
|
|
|
. If you are using a mirror registry, enable sigstore attachments.
|
|
. Otherwise, proceed to wiping the local container storage clean.
|