Merge pull request #5485 from mfojtik/signature-auto-import

mburke5678 · web-flow · commit 5cc7d9772455 · 2017-11-15T13:01:53.000-05:00
Describe how to configure automatic image signature import
diff --git a/admin_guide/image_signatures.adoc b/admin_guide/image_signatures.adoc
@@ -247,3 +247,25 @@ the `<name>` is the name of the signature. The signature name must be 32
 characters long. The `<cryptographic_signature>` must follow the specification
 documented in the
 link:https://github.com/containers/image/blob/master/docs/atomic-signature.md#the-cryptographic-signature[containers/image] library.
+
+[[importing-signatures-from-sigstore]]
+=== Importing Image Signatures Automatically from Signature Stores
+
+{{product-title}} can automatically import image signatures if an signature
+store is configured on all {{product-title}} master nodes. The configuration is
+located in `/etc/containers/registries.d` directory. For more details about the
+configuration format visit
+link:https://github.com/containers/image/blob/master/docs/registries.d.md[containers/image]
+library documentation.
+
+A sample configuration that will cause image signatures to be imported
+automatically for all Red Hat images:
+
+----
+docker:
+  registry.access.redhat.com:
+    sigstore: https://access.redhat.com/webassets/docker/content/sigstore
+----
+
+Note that all signatures imported automatically by {{product-title}} will be
+"unverified" by default and will have to be verified by image administrators.
