All future Red Hat products will be built using Konflux pipelines. Part of the image creation is signing the images with the official Red Hat release keys (see https://access.redhat.com/security/team/key).

As a security product, we should offer a built-in policy to help users ensure that only officially signed Red Hat images are run (where they are expected). To do this, we need:

1. A list of Red Hat image registries/repositories (e.g. registry.redhat.io and quay.io/openshift-release-dev/ocp-v4.0-art-dev).
2. A way of dynamically loading the Red Hat release keys for the cosign verifier.
3. Curate a list of Red Hat workloads or a mechanism to identity them (e.g. everything from registry.redhat.io image registry).

Moreover, a default policy might serve as an example on how combine policy criteria with signature verification, which is a source of confusion currently as we saw in https://issues.redhat.com/browse/ROX-30116.

Reference: https://docs.google.com/document/d/1vhzPRfslM7HuAvepTx8iVsyRqkwFQ4C-WF31bi9svtg