Software supply chain security with podman.

SYNOPSIS

sudo podman image trust set -t reject default
sudo podman image trust set --type accept docker.io
sudo podman image trust set --type signedBy -f "$pubkey" docker.io

DESCRIPTION

Since my Arch Linux workstation is currently unavailable, I'm trying to
build Archiso my work laptop, where I'm running Gentoo.  In order to get
the proper build environment, the plan is to run Arch Linux in a
container.

I decided to start with a little Dockerfile, "FROM archlinux:latest".
The invocation to docker-build(1) throws me a warning about some
deprecation, so I'm probably a bit rusty about Docker.  Instead of
learning what's wrong on Docker, why not trying to switch to Podman
instead?

Podman should be a drop in replacement, but I immediately noticed
some differences along the way.  One of them is the need of a
/etc/containers/policy.json file which is specifying what policy to
adopt for image repositories.

This is good news!  I've recently participated to a security conference,
where one of the presentation is about the security of the software
supply chain, and even if nothing I heard there enlightened me that
much, the whole experience put me in a certain mood for additional
security.

The commands in the SYNOPSIS are a short path for the configuration of
/etc/containers/policy.json.  I wish I could find the public keys for
docker.io, since there would be a way to specify the public keys in use
for the account.

This is a topic I find interesting.
Do you have opionions about it?  Feel free to send me an email.
dacav at fastmail.com.