stagex/signatures
14
0
Fork
You've already forked signatures
2
[Stagex] Package Containers signatures https://sigs.stagex.tools
2026年06月14日 17:38:38 -07:00
stagex add signatures for 2026060 2026年06月14日 17:37:59 -07:00
.domains Add custom domain for use with codeberg pages 2025年06月01日 21:41:05 -07:00
README.md Updates README with new information on signature verification, add maintainers keyring 2026年02月05日 22:50:49 -08:00
stagex-keyring.pgp Updates README with new information on signature verification, add maintainers keyring 2026年02月05日 22:50:49 -08:00

[StageX] Image Signatures

This repository holds signatures related to containers built and reproduced by the [StageX] maintainers. These signatures are stored in a format compatible with containers-registries.d lookaside.

We provide a keyring, or you can pull our keys via WKD or Hagrid. As of now any project using image/v5.37.0 or higher should work

Program Tested Works
skopeo yes no
podman yes yes
kubernetes no ?

Signatures up to version sx2025.05.2 signed the index file instead of the OCI compliant manifest for a given architecture. Signatures can be verified using pgp tooling but not lookaside.

Signatures from sx2025.05.2 to sx2025.11.0 only have a critical.identity.docker-reference of stagex/<package-name> meaning a policy signedIdentity only has the option of matchRepo for Dockerhub Images

Getting Started

1.Configure the lookaside server for both quay.io and docker hub for the stagex organization

~/.config/containers/registries.d/default.yaml

docker:docker.io/stagex:lookaside:https://sigs.stagex.toolsquay.io/stagex:lookaside:https://sigs.stagex.tools
  1. Create a PGP Keyring for a policy

3.Add a policy

~/.config/containers/policy.json

{
 "default": [
 {"type": "reject"}
 ],
 "transports": {
 "docker": {
 "stagex": [
 {
 "type": "signedBy",
 "keyType": "GPGKeys",
 "keyPath": "/path/to/stagex-keyring.pgp",
 "signedIdentity": {
 "type": "matchRepoDigestOrExact"
 }
 }
 ],
 "quay.io/stagex": [
 {
 "type": "signedBy",
 "keyType": "GPGKeys",
 "keyPath": "/path/to/stagex-keyring.pgp",
 "signedIdentity": {
 "type": "remapIdentity",
 "prefix": "quay.io/stagex",
 "signedPrefix": "docker.io/stagex"
 }
 }
 ],
 }
 }
}