From 8f80e0f85b8b9b578b078edb5d8437e2f9dc3eb1 Mon Sep 17 00:00:00 2001
From: Dave Jansen <i.am@davejansen.com>
Date: Sun, 16 Nov 2025 14:43:10 +0900
Subject: [PATCH] Attempt: Add custom containers-policy.json

---
 build_files/build.sh                     |  4 +++
 sys_files/usr/etc/containers/policy.json | 32 ++++++++++++++++++++++++
 2 files changed, 36 insertions(+)
 create mode 100644 sys_files/usr/etc/containers/policy.json

diff --git a/build_files/build.sh b/build_files/build.sh
index 55eb7fa..ee24a99 100755
--- a/build_files/build.sh
+++ b/build_files/build.sh
@@ -5,6 +5,10 @@ set -ouex pipefail
 # Copy System Files onto root
 rsync -rvK /ctx/sys_files/ /
 
+# Copy cosign.pub key into the right location
+mkdir -p /etc/pki/containers
+cp /ctx/cosign.pub /etc/pki/containers/davejansen.pub
+
 ### Install packages
 
 # Packages can be installed from any enabled yum repo on the image.
diff --git a/sys_files/usr/etc/containers/policy.json b/sys_files/usr/etc/containers/policy.json
new file mode 100644
index 0000000..efb2341
--- /dev/null
+++ b/sys_files/usr/etc/containers/policy.json
@@ -0,0 +1,32 @@
+{
+  "default": [
+    {
+      "type": "reject"
+    }
+  ],
+  "transports": {
+    "docker": {
+      "davejansen.dev": [
+        {
+          "type": "sigstoreSigned",
+          "keyPaths": ["/etc/pki/containers/davejansen.pub"],
+          "signedIdentity": {
+            "type": "matchRepository"
+          }
+        }
+      ],
+      "": [
+        {
+          "type": "insecureAcceptAnything"
+        }
+      ]
+    },
+    "docker-daemon": {
+      "": [
+        {
+          "type": "insecureAcceptAnything"
+        }
+      ]
+    }
+  }
+}