mirror of
https://github.com/aljazceru/kata-containers.git
synced 2025-12-18 23:04:20 +01:00
7670792f97
- Add hardcoded gpg, signature and polict files - Modify rootfs.sh to put these in the correct place in the kata image if skopeo and umoci are being used Fixes: #2682 Signed-off-by: stevenhorsman <steven@uk.ibm.com>
Description
This directory provides some artifacts required for implementing and testing the kata-agent's ability to verify the signatures of container images pulled from the test quay.io/kata-containers/confidential-containers repository.
Contents
It consists of:
signatures.tar- a tar archive containing the signatures ofquay.io/kata-containers/confidential-containers:signedandquay.io/kata-containers/confidential-containers:other_signedpublic.gpg- the public GPG key, paired to the private key pair that was used to signquay.io/kata-containers/confidential-containers:signedquay_policy.json- a container policy file that allows insecure access to all repos exceptquay.io/kata-containers, in which it enforced signatures by the above key
Usage
As part of the Confidential Containers v0 proof of concept these files will be built into the kata image and used for the purposes of testing verification of signed images see Issue #2682. They are intended to be temporary whilst a better solution is found to pass them in, probably based on the attestation agent.