feat: use signed image

clemak27 · clemak27 · commit 8546ad946416 · 2025-11-09T12:30:43.000+01:00
diff --git a/README.md b/README.md
@@ -21,3 +21,9 @@ In a fresh Fedora Kinoite installation, change the base image:
 ```sh
 rpm-ostree rebase ostree-unverified-registry:ghcr.io/clemak27/kinokite:latest
 ```
+
+After a reboot, you can change to a signed image:
+
+```sh
+rpm-ostree rebase ostree-image-signed:docker://ghcr.io/clemak27/kinokite:latest
+```
diff --git a/build.sh b/build.sh
@@ -47,3 +47,53 @@ systemctl enable podman.socket
 # change default shell
 
 sed -i 's@/bin/bash@/bin/zsh@g' /etc/default/useradd
+
+# signed image
+
+cat << EOF > /etc/containers/policy.json
+{
+  "default": [
+    {
+      "type": "reject"
+    }
+  ],
+  "transports": {
+    "docker-daemon": {
+      "": [
+        {
+          "type": "insecureAcceptAnything"
+        }
+      ]
+    },
+    "docker": {
+      "ghcr.io/clemak27": [
+        {
+          "type": "sigstoreSigned",
+          "keyPath": "/etc/pki/containers/clemak27.pub",
+          "signedIdentity": {
+            "type": "matchRepository"
+          }
+        }
+      ],
+      "": [
+        {
+          "type": "insecureAcceptAnything"
+        }
+      ]
+    }
+  }
+}
+EOF
+
+mkdir -p /etc/containers/registries.d
+cat << EOF > /etc/containers/registries.d/ghcr.yaml
+docker:
+  ghcr.io/clemak27:
+    use-sigstore-attachments: true
+EOF
+
+mkdir -p /etc/pki/containers
+cp /tmp/cosign.pub /etc/pki/containers/clemak27.pub
+
+restorecon -RFv /etc/pki/containers
+restorecon -RFv /etc/containers
