Fedora Cloud Base and Container Base should support machinectl --verify=signature https://bugzilla.redhat.com/show_bug.cgi?id=2048035
$ sudo machinectl pull-tar https://kojipkgs.fedoraproject.org//packages/Fedora-Container-Base/35/20220127.0/images/Fedora-Container-Base-35-20220127.0.x86_64.tar.xz FCB35-20220127 Enqueued transfer job 1. Press C-c to continue download in background. Pulling 'https://kojipkgs.fedoraproject.org//packages/Fedora-Container-Base/35/20220127.0/images/Fedora-Container-Base-35-20220127.0.x86_64.tar.xz', saving as 'FCB35-20220127'. Downloading 34.8M for https://kojipkgs.fedoraproject.org//packages/Fedora-Container-Base/35/20220127.0/images/Fedora-Container-Base-35-20220127.0.x86_64.tar.xz. HTTP request to https://kojipkgs.fedoraproject.org//packages/Fedora-Container-Base/35/20220127.0/images/Fedora-Container-Base-35-20220127.0.x86_64.nspawn failed with code 404. Settings file could not be retrieved, proceeding without. HTTP request to https://kojipkgs.fedoraproject.org//packages/Fedora-Container-Base/35/20220127.0/images/SHA256SUMS.gpg failed with code 404. HTTP request to https://kojipkgs.fedoraproject.org//packages/Fedora-Container-Base/35/20220127.0/images/SHA256SUMS failed with code 404. Failed to retrieve SHA256 checksum, cannot verify. (Try --verify=no?) Exiting.
machinectl uses --verify=signature by default, but we're not publishing anything that it can use to verify the image.
Login to comment on this ticket.