Containerfile is used to build an image where:
quay.io.yaml tells Podman to download Sigstore signatures when pulling images.
policy.json tells Podman that images pulled from quay.io/rh-ee-mskoett/bootc-signed must be verified with bootc-demo.pub
Build and push a signed image:
podman build -t quay.io/rh-ee-mskoett/bootc-signed:latest .
podman push --sign-by-sigstore-private-key ./bootc-demo.private quay.io/rh-ee-mskoett/bootc-signed:latestBoot a VM with the image using podman-bootc:
podman-bootc run --filesystem=xfs quay.io/rh-ee-mskoett/bootc-signed:latestNow try building an updated image but this time pushing it to quay.io without signing it:
podman build -t quay.io/rh-ee-mskoett/bootc-signed:latest .
podman push ./bootc-demo.private quay.io/rh-ee-mskoett/bootc-signed:latestLet’s see if bootc will let us upgrade to the new unsigned image:
[root@localhost ~]# bootc upgrade ERROR Upgrading: Creating importer: failed to invoke method OpenImage: failed to invoke method OpenImage: A signature was required, but no signature exists
Using Skopeo
skopeo generate-sigstore-key --output-prefix myKeyCosign can also be used to generate a key-pair:
cosign generate-key-pair --output-key-prefix myKey