diff --git a/.forgejo/workflows/ci.yml b/.forgejo/workflows/ci.yml index 5feac00..04c5101 100644 --- a/.forgejo/workflows/ci.yml +++ b/.forgejo/workflows/ci.yml @@ -53,9 +53,9 @@ jobs: timeout 15 bash -c 'until docker exec ci-dind docker version > /dev/null 2>&1; do echo "Waiting for Docker daemon inside DinD..."; sleep 5; done' echo "DinD container is ready" - # Install Cosign in DinD container + # Install Cosign in DinD container (pinned version) echo "Installing Cosign..." - docker exec ci-dind sh -c "wget -O /usr/local/bin/cosign https://github.com/sigstore/cosign/releases/latest/download/cosign-linux-amd64 && chmod +x /usr/local/bin/cosign" + docker exec ci-dind sh -c "COSIGN_VERSION=v2.2.4 && wget -O /usr/local/bin/cosign https://github.com/sigstore/cosign/releases/download/\${COSIGN_VERSION}/cosign-linux-amd64 && chmod +x /usr/local/bin/cosign" # Login to Docker Registry (using HTTPS port 443) echo "${{ secrets.REGISTRY_PASSWORD }}" | docker exec -i ci-dind docker login ${{ secrets.CI_HOST }}:443 -u ${{ secrets.REGISTRY_USER }} --password-stdin diff --git a/Docker_Registry_Install_Guide.md b/Docker_Registry_Install_Guide.md index e704234..c8d2b82 100644 --- a/Docker_Registry_Install_Guide.md +++ b/Docker_Registry_Install_Guide.md @@ -68,6 +68,7 @@ sudo usermod --add-subgids 100000-165535 CI_SERVICE_USER sudo mkdir -p /etc/containers sudo tee /etc/containers/registries.conf > /dev/null << 'EOF' unqualified-search-registries = ["docker.io"] +short-name-mode = "enforcing" EOF # Set proper permissions for system-wide Podman config (root-owned) @@ -121,7 +122,7 @@ sudo tee /etc/logrotate.d/registry-proxy > /dev/null << 'EOF' copytruncate missingok notifempty - create 644 registry-proxy registry-proxy + create 640 registry-proxy registry-proxy } EOF ``` @@ -274,7 +275,7 @@ ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256'; limit_req zone=reg_write burst=10; limit_conn perip 20; proxy_pass http://reg; - proxy_set_header Host $host:$server_port; + proxy_set_header Host $host; proxy_set_header X-Forwarded-Proto https; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; add_header Docker-Distribution-Api-Version "registry/2.0" always; @@ -384,8 +385,13 @@ sudo cp /etc/registry/certs/ca/ca.crt /usr/local/share/ca-certificates/registry- sudo update-ca-certificates # 4. Generate Cosign key pair for image signing -# Install Cosign if not already installed -wget -O /usr/local/bin/cosign https://github.com/sigstore/cosign/releases/latest/download/cosign-linux-amd64 +# Install Cosign (pinned + verified) +COSIGN_VERSION=v2.2.4 +COSIGN_URL="https://github.com/sigstore/cosign/releases/download/${COSIGN_VERSION}/cosign-linux-amd64" +COSIGN_SHA256="" + +curl -fsSL -o /usr/local/bin/cosign "$COSIGN_URL" +echo "${COSIGN_SHA256} /usr/local/bin/cosign" | sha256sum -c - chmod +x /usr/local/bin/cosign # Generate Cosign key pair (or use keyless OIDC in CI) @@ -455,6 +461,9 @@ sudo cp /path/to/org-cosign.pub /etc/containers/keys/org-cosign.pub **Note:** Replace `REGISTRY_HOST` with the actual FQDN or IP address that matches your certificate's Subject Alternative Name (SAN). For pushes, both the server CA certificate and client certificate/key are required for mTLS authentication. The Cosign public key is required for signature verification on both ports. +**Best practice:** pull/deploy by **digest**, not tag. Example: +`podman pull REGISTRY_HOST/namespace/image@sha256:` + ## Security Model This setup implements a multi-layered security approach: diff --git a/registry/containers-policy.json b/registry/containers-policy.json index 2467b3e..fd3022d 100644 --- a/registry/containers-policy.json +++ b/registry/containers-policy.json @@ -16,11 +16,7 @@ "signedIdentity": { "type": "matchRepository" } } ], - "docker.io": [ - { - "type": "insecureAcceptAnything" - } - ] + "docker.io": [{ "type": "reject" }] }, "docker-daemon": { "": [{ "type": "reject" }] } }