Chicken-and-egg problem with image signatures on CoreOS

(Hello! I originally posted this here (https://discussion.fedoraproject.org/t/chicken-and-egg-problem-with-image-signing-on-coreos/72710) but it was suggested that I should try this forum instead.)

I’m on CoreOS, and I want to ensure that all of my services are running from verified, signed images. podman doesn’t support the signing mechanism used on Docker Hub, so this, realistically, requires me to run my own registry. Following this guide here…

https://github.com/containers/podman/blob/main/docs/tutorials/image_signing.md

… shows that the first step involves pulling registry from docker.io, and running it without being able to verify the signature on the image.

As a second pain point: If I want to run my own signature store, I almost inevitably want the web server hosting it to be protected with TLS. If I want it protected with TLS, I need to use an ACME client to fetch certificates. This being CoreOS, that ACME client will need to be installed from an OCI image hosted by the image registry I’m trying to set up in the first place. Circular dependencies!

Is there a succinct method for provisioning a CoreOS instance with a working registry such that I don’t have to start the process by pulling a load of unsigned code?

Hi,

Thank you for the great question. I don’t have an answer for you, but I think at a high-level this isn’t FCOS-specific. E.g. I think the same concerns exist trying to set up signature verification on a traditional Fedora system. Though obviously it’s still very relevant on FCOS, being container-focused.

I asked on the #podman IRC channel and there was agreement this would make a good mailing list question where more podman/signing SMEs will have a chance to see it. The details of the mailing list are available here. Could you repost your question there and then link to it here?

Thanks!

Will do!

https://lists.podman.io/archives/list/podman@lists.podman.io/thread/H4XT5KD7UXS4UQM67JGC3TUH5HK47KPD/