Today, I learned that podman supports verifying cosign signatures, if you configure it properly.
Here is how to make it work with a public key, instead of the self-signed certificates that Sigstore uses.
First, I edited the /containers/registries.d/default.yaml file to use sigstore attachments (that comprises signatures, and probably attestations):
docker:
ghcr.io/freedomofpress/dangerzone/v1:
use-sigstore-attachments: true
Then, I updated the /etc/containers/policy.json to check for out public key:
"docker": {
"ghcr.io/freedomofpress/dangerzone/v1": [
{
"type": "sigstoreSigned",
"keyPath": "/home/alexis/dev/fpf/dangerzone/share/freedomofpress-dangerzone.pub",
"signedIdentity": {"type": "matchRepository"}
}
]
}
Now, when doing a podman pull, it works! If I specify another public key, it fails with:
Error: unable to copy from source docker://ghcr.io/freedomofpress/dangerzone/v1:latest: copying system image from manifest list: Source image rejected: cryptographic signature verification failed: invalid signature when validating ASN.1 encoded signature
With the proper signatures and public keys, a podman pull actually gets and stores the signatures for us:
$ podman pull ghcr.io/freedomofpress/dangerzone/v1
Trying to pull ghcr.io/freedomofpress/dangerzone/v1:latest...
Getting image source signatures
Checking if image destination supports signatures
Copying blob 89b08d9231ff done |
Copying config 945016a2e0 done |
Writing manifest to image destination
Storing signatures
<imageID>