Fedora Cloud Base and Container Base should support machinectl --verify=signature https://bugzilla.redhat.com/show_bug.cgi?id=2048035
$ sudo machinectl pull-raw https://kojipkgs.fedoraproject.org//packages/Fedora-Cloud-Base/35/20220128.0/images/Fedora-Cloud-Base-35-20220128.0.x86_64.raw.xz FCB35-20220127 Enqueued transfer job 2. Press C-c to continue download in background. Pulling 'https://kojipkgs.fedoraproject.org//packages/Fedora-Cloud-Base/35/20220128.0/images/Fedora-Cloud-Base-35-20220128.0.x86_64.raw.xz', saving as 'FCB35-20220127'. Downloading 299.4M for https://kojipkgs.fedoraproject.org//packages/Fedora-Cloud-Base/35/20220128.0/images/Fedora-Cloud-Base-35-20220128.0.x86_64.raw.xz. HTTP request to https://kojipkgs.fedoraproject.org//packages/Fedora-Cloud-Base/35/20220128.0/images/Fedora-Cloud-Base-35-20220128.0.x86_64.roothash.p7s failed with code 404. Root hash signature file could not be retrieved, proceeding without. HTTP request to https://kojipkgs.fedoraproject.org//packages/Fedora-Cloud-Base/35/20220128.0/images/Fedora-Cloud-Base-35-20220128.0.x86_64.nspawn failed with code 404. Settings file could not be retrieved, proceeding without. HTTP request to https://kojipkgs.fedoraproject.org//packages/Fedora-Cloud-Base/35/20220128.0/images/Fedora-Cloud-Base-35-20220128.0.x86_64.verity failed with code 404. Verity integrity file could not be retrieved, proceeding without. https://kojipkgs.fedoraproject.org//packages/Fedora-Cloud-Base/35/20220128.0/images/Fedora-Cloud-Base-35-20220128.0.x86_64.verity HTTP request to https://kojipkgs.fedoraproject.org//packages/Fedora-Cloud-Base/35/20220128.0/images/SHA256SUMS.gpg failed with code 404. HTTP request to https://kojipkgs.fedoraproject.org//packages/Fedora-Cloud-Base/35/20220128.0/images/Fedora-Cloud-Base-35-20220128.0.x86_64.roothash failed with code 404. Root hash file could not be retrieved, proceeding without. HTTP request to https://kojipkgs.fedoraproject.org//packages/Fedora-Cloud-Base/35/20220128.0/images/SHA256SUMS failed with code 404. Failed to retrieve SHA256 checksum, cannot verify. (Try --verify=no?) Exiting.
machinectl uses --verify=signature by default, but we're not publishing anything that it can use to verify the image.
machinectl
Metadata Update from @davdunc: - Issue tagged with: meeting
Log in to comment on this ticket.