-
Story
-
Resolution: Done
-
Normal
-
None
-
None
For users that might not have their policy.json and/or registries.d correctly configured, one might want to skip signature verification and mirroring completely.
This story doesn' t provide a granular way (per image) way to skip signature mirroring.
This story only provides a way to enable/disable signature mirroring as a whole.
We need to also verify the behavior behind the existing command line arg secure-policy
We need to at least ask PM if other parameters related to signature configuration found in skopeo/podman should also be available in oc-mirror.
Ex:
// This is what skopeo uses to not verify signatures --insecure-policy run the tool without any policy check // This is what skopeo uses to set different locations for policy.json and registries.d --policy string Path to a trust policy file --registries.d DIR use registry configuration files in DIR (e.g. for container signature storage) // This is what skopeo uses to stop copying signatures --remove-signatures Do not copy signatures from SOURCE-IMAGE // these shouldn't be needed. --sign-by FINGERPRINT Sign the image using a GPG key with the specified FINGERPRINT --sign-by-sigstore PATH Sign the image using a sigstore parameter file at PATH --sign-by-sigstore-private-key PATH Sign the image using a sigstore private key at PATH --sign-identity string Identity of signed image, must be a fully specified docker reference. Defaults to the target docker reference. --sign-passphrase-file PATH Read a passphrase for signing an image from PATH