Chicken-and-egg problem with image signing on CoreOS

Hello!

I’m on CoreOS, and I want to ensure that all of my services are running from verified, signed images. podman doesn’t support the signing mechanism used on Docker Hub, so this, realistically, requires me to run my own registry. Following this guide here…

… shows that the first step involves pulling registry from docker.io, and running it without being able to verify the signature on the image.

As a second pain point: If I want to run my own signature store, I almost inevitably want the web server hosting it to be protected with TLS. If I want it protected with TLS, I need to use an ACME client to fetch certificates. This being CoreOS, that ACME client will need to be installed from an OCI image hosted by the image registry I’m trying to set up in the first place. Circular dependencies! :exploding_head:

Is there a succinct method for provisioning a CoreOS instance with a working registry such that I don’t have to start the process by pulling a load of unsigned code?

2 Likes

I think this one is quite a specific issue that requires advanced CoreOS knowledge, so maybe worth asking in the CoreOS channels here:

(different forum, but you can login using your Fedora account as you did here)

Ah, OK, thanks!

1 Like