local build

2022-08-10 08:50:23 -04:00 · 2022-08-10 08:50:23 -04:00 · 23d18a07d3
commit 23d18a07d3
parent 91c97adffd
3 changed files with 9 additions and 7 deletions
--- a/containers-policy.json.5.md
+++ b/containers-policy.json.5.md
@ -255,6 +255,8 @@ Exactly one of `keyPath` and `keyData` must be present, containing a sigstore pu
 The `signedIdentity` field has the same semantics as in the `signedBy` requirement described above.
 Note that `cosign`-created signatures only contain a repository, so only `matchRepository` and `exactRepository` can be used to accept them (and that does not protect against substitution of a signed image with an unexpected tag).

+To use this with images hosted on image registries, the relevant registry or repository must have the `use-sigstore-attachments` option enabled in containers-registries.d(5).
+
 ## Examples

 It is *strongly* recommended to set the `default` policy to `reject`, and then
@ -281,14 +283,14 @@ selectively allow individual transports and scopes as desired.
            "hostname:5000/myns/sigstore-signed-with-full-references": [
                {
                    "type": "sigstoreSigned",
-                    "keyPath": "/path/to/sigstore-pubkey.key"
+                    "keyPath": "/path/to/sigstore-pubkey.pub"
                }
            ],
            /* A sigstore-signed repository, accepts signatures by /usr/bin/cosign */
            "hostname:5000/myns/sigstore-signed-allows-malicious-tag-substitution": [
                {
                    "type": "sigstoreSigned",
-                    "keyPath": "/path/to/sigstore-pubkey.key",
+                    "keyPath": "/path/to/sigstore-pubkey.pub",
                    "signedIdentity": {"type": "matchRepository"}
                }
            ]
--- a/containers-storage.conf.5.md
+++ b/containers-storage.conf.5.md
@ -99,7 +99,7 @@ containers/storage supports four keys

 **remap-uids=**""
 **remap-gids=**""
-  Remap-UIDs/GIDs is the mapping from UIDs/GIDs as they should appear inside of a container, to the UIDs/GIDs outside of the container, and the length of the range of UIDs/GIDs.  Additional mapped sets can be listed and will be heeded by libraries, but there are limits to the number of mappings which the kernel will allow when you later attempt to run a container.
+  Remap-UIDs/GIDs is the mapping from UIDs/GIDs as they should appear inside of a container, to the UIDs/GIDs outside of the container, and the length of the range of UIDs/GIDs.  Additional mapped sets can be listed and will be needed by libraries, but there are limits to the number of mappings which the kernel will allow when you later attempt to run a container.

  Example
     remap-uids = 0:1668442479:65536
@ -244,7 +244,7 @@ Note: The force_mask Flag is an experimental feature, it could change in the
 future.  When "force_mask" is set the original permission mask is stored in the
 "user.containers.override_stat" xattr and the "mount_program" option must be
 specified. Mount programs like "/usr/bin/fuse-overlayfs" present the extended
-attribute permissions to processes within containers rather then the
+attribute permissions to processes within containers rather than the
 "force_mask"  permissions.

 **mount_program**=""
--- a/storage.conf
+++ b/storage.conf
@ -1,4 +1,4 @@
-# This file is is the configuration file for all tools
+# This file is the configuration file for all tools
 # that use the containers/storage library. The storage.conf file
 # overrides all other storage.conf files. Container engines using the
 # container/storage library do not inherit fields from other storage.conf
@ -65,7 +65,7 @@ pull_options = {enable_partial_images = "false", use_hard_links = "false", ostre
 # Remap-UIDs/GIDs is the mapping from UIDs/GIDs as they should appear inside of
 # a container, to the UIDs/GIDs as they should appear outside of the container,
 # and the length of the range of UIDs/GIDs.  Additional mapped sets can be
-# listed and will be heeded by libraries, but there are limits to the number of
+# listed and will be needed by libraries, but there are limits to the number of
 # mappings which the kernel will allow when you later attempt to run a
 # container.
 #
@ -150,7 +150,7 @@ mountopt = "nodev,metacopy=on"
 #  future.  When "force_mask" is set the original permission mask is stored in
 #  the "user.containers.override_stat" xattr and the "mount_program" option must
 #  be specified. Mount programs like "/usr/bin/fuse-overlayfs" present the
-#  extended attribute permissions to processes within containers rather then the
+#  extended attribute permissions to processes within containers rather than the
 #  "force_mask"  permissions.
 #
 # force_mask = ""