Signing container images with sigstore keys

Edit online

Digital signatures can be used to verify the authenticity and integrity of a container image. This topic covers how to create a sigstore key to sign images in your enterprise Container Registry.

user iconMiddleware system programmer z/OS® system programmer

optional Signing a container image with sigstore keys

  1. Generate the keys with IBM® z/OS for Skopeo (Skopeo):
    Use Skopeo to create a sigstore key to sign images using the following command:
    skopeo generate-sigstore-key --output-prefix <key-file-name-prefix>
    • The variable <key-file-name-prefix> needs to be replaced with the location that the signature files should be placed in.
  2. Configure a YAML file in /etc/containers/registries.d to use sigstore signatures:
    To allow signatures to be pushed to a registry with an image, the use-sigstore-attachments option will need to be specified in a config file in registries.d. To do this create the directory /etc/containers/registries.d. Then create a YAML config file with any name that you choose, containing the following text:
    docker: 
   <enterprise-registry-location>: 
       use-sigstore-attachments: true
    • The variable <enterprise-registry-location> needs to be replaced with your enterprise container image registry.
  3. Configure /etc/containers/policy.json to enforce the usage of the private key:
    The policy config file, globally in /etc/containers/policy.json, should be modified to require signed images by using a locally stored key. 
    "transports": {
    "docker": {
        "<enterprise-registry-location>/<namespace>": [
            { 
                "type": "sigstoreSigned",
                "keyPath": "<key-file-name-prefix>.pub"
                "signedIdentity": {
                    "type": "matchRepository"
                }
            }
        ]
    }
}
    • The variable <enterprise-registry-location> needs to be replaced with your enterprise container image registry.
    • The variable <key-file-name-prefix> needs to be replaced with the location that the signature files should be placed in.
  4. Push the image to the registry:
    Use the --sign-by-sigstore-private-key option to push the image to your enterprise container image registry:
    podman push --sign-by-sigstore-private-key <key-file-name-prefix>.private <image-name> <enterprise-registry-location>/<namespace>/<image-name>
    • The variable <key-file-name-prefix> needs to be replaced with the location of the signature files.
    • The variable <enterprise-registry-location> needs to be replaced with your enterprise container image registry.
  5. When an image is pulled from the registry in the future, the locally stored key is used to verify it. If the key does not match the container images signature Podman for IBM z/OS (Podman) will output an error message.

    For information on pulling a container image, see Pushing to and pulling from a container registry.