目录
签名alpine镜像并推送到本地Docker Registry
本地暂存签名存储中启动一个新服务器:/etc/containers/registries.d/default.yaml``http://localhost:8000
准备环境
安装python3
yum install python3 -y
配置镜像签名
先创建一个GPG密钥对
根据提示提供用户名、邮箱和密码,并接受缺省选项即可。
[root@localhost ~]# gpg --full-gen-key
gpg (GnuPG) 2.2.20; Copyright (C) 2020 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
gpg: directory '/root/.gnupg' created
gpg: keybox '/root/.gnupg/pubring.kbx' created
Please select what kind of key you want:
(1) RSA and RSA (default)
(2) DSA and Elgamal
(3) DSA (sign only)
(4) RSA (sign only)
(14) Existing key from card
Your selection?
RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (2048)
Requested keysize is 2048 bits
Please specify how long the key should be valid.
0 = key does not expire
<n> = key expires in n days
<n>w = key expires in n weeks
<n>m = key expires in n months
<n>y = key expires in n years
Key is valid for? (0)
Key does not expire at all
Is this correct? (y/N) y
GnuPG needs to construct a user ID to identify your key.
Real name: wq
Name must be at least 5 characters long
Real name: wqqqw
Email address: 1@2qq.com
Comment: wq
You selected this USER-ID:
"wqqqw (wq) <1@2qq.com>"
pub rsa2048 2022-08-15 [SC]
1C57DD6ED50F9B549428B89E9811E529B7A64BC1
uid wqqqw (wq) <1@2qq.com>
sub rsa2048 2022-08-15 [E]
运行一个容器注册表
[root@localhost ~]# podman run -d -p 5000:5000 docker.io/registry
Trying to pull docker.io/library/registry:latest...
Getting image source signatures
Copying blob e2ead8259a04 done
Copying blob 3790aef225b9 done
Copying blob 79e9f2f55bf5 done
Copying blob 5b27040df4a2 done
Copying blob 0d96da54f60b done
Copying config b8604a3fe8 done
Writing manifest to image destination
Storing signatures
719385b956f74d4f515120836ba535de1337780591203ba83c264cff4f46825c
注册表对映像签名一无所知,它只是为容器映像提供远程存储。这意味着,如果我们要对图像进行签名,则必须注意如何分发签名。