Improve security #12

.forgejo/workflows/ci.yml

@@ -53,9 +53,9 @@ jobs:
           timeout 15 bash -c 'until docker exec ci-dind docker version > /dev/null 2>&1; do echo "Waiting for Docker daemon inside DinD..."; sleep 5; done'
           echo "DinD container is ready"
           
-          # Install Cosign in DinD container
+          # Install Cosign in DinD container (pinned version)
           echo "Installing Cosign..."
-          docker exec ci-dind sh -c "wget -O /usr/local/bin/cosign https://github.com/sigstore/cosign/releases/latest/download/cosign-linux-amd64 && chmod +x /usr/local/bin/cosign"
+          docker exec ci-dind sh -c "COSIGN_VERSION=v2.2.4 && wget -O /usr/local/bin/cosign https://github.com/sigstore/cosign/releases/download/\${COSIGN_VERSION}/cosign-linux-amd64 && chmod +x /usr/local/bin/cosign"
           
           # Login to Docker Registry (using HTTPS port 443)
           echo "${{ secrets.REGISTRY_PASSWORD }}" | docker exec -i ci-dind docker login ${{ secrets.CI_HOST }}:443 -u ${{ secrets.REGISTRY_USER }} --password-stdin

Docker_Registry_Install_Guide.md

@@ -68,6 +68,7 @@ sudo usermod --add-subgids 100000-165535 CI_SERVICE_USER
 sudo mkdir -p /etc/containers
 sudo tee /etc/containers/registries.conf > /dev/null << 'EOF'
 unqualified-search-registries = ["docker.io"]
+short-name-mode = "enforcing"
 EOF
 
 # Set proper permissions for system-wide Podman config (root-owned)
@@ -121,7 +122,7 @@ sudo tee /etc/logrotate.d/registry-proxy > /dev/null << 'EOF'
     copytruncate
     missingok
     notifempty
-    create 644 registry-proxy registry-proxy
+    create 640 registry-proxy registry-proxy
 }
 EOF
 ```
@@ -274,7 +275,7 @@ ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256';
       limit_req zone=reg_write burst=10;
       limit_conn perip 20;
       proxy_pass http://reg;
-      proxy_set_header Host $host:$server_port;
+      proxy_set_header Host $host;
       proxy_set_header X-Forwarded-Proto https;
       proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
       add_header Docker-Distribution-Api-Version "registry/2.0" always;
@@ -384,8 +385,13 @@ sudo cp /etc/registry/certs/ca/ca.crt /usr/local/share/ca-certificates/registry-
 sudo update-ca-certificates
 
 # 4. Generate Cosign key pair for image signing
-# Install Cosign if not already installed
-wget -O /usr/local/bin/cosign https://github.com/sigstore/cosign/releases/latest/download/cosign-linux-amd64
+# Install Cosign (pinned + verified)
+COSIGN_VERSION=v2.2.4
+COSIGN_URL="https://github.com/sigstore/cosign/releases/download/${COSIGN_VERSION}/cosign-linux-amd64"
+COSIGN_SHA256="<REPLACE_WITH_OFFICIAL_SHA256>"
+
+curl -fsSL -o /usr/local/bin/cosign "$COSIGN_URL"
+echo "${COSIGN_SHA256}  /usr/local/bin/cosign" | sha256sum -c -
 chmod +x /usr/local/bin/cosign
 
 # Generate Cosign key pair (or use keyless OIDC in CI)
@@ -455,6 +461,9 @@ sudo cp /path/to/org-cosign.pub /etc/containers/keys/org-cosign.pub
 
 **Note:** Replace `REGISTRY_HOST` with the actual FQDN or IP address that matches your certificate's Subject Alternative Name (SAN). For pushes, both the server CA certificate and client certificate/key are required for mTLS authentication. The Cosign public key is required for signature verification on both ports.
 
+**Best practice:** pull/deploy by **digest**, not tag. Example:
+`podman pull REGISTRY_HOST/namespace/image@sha256:<digest>`
+
 ## Security Model
 
 This setup implements a multi-layered security approach:

registry/containers-policy.json

@@ -16,11 +16,7 @@
           "signedIdentity": { "type": "matchRepository" }
         }
       ],
-      "docker.io": [
-        {
-          "type": "insecureAcceptAnything"
-        }
-      ]
+      "docker.io": [{ "type": "reject" }]
     },
     "docker-daemon": { "": [{ "type": "reject" }] }
   }