09:33 <bluecmd> Hi! I am playing with CoreOS layering. I have uploaded my own CoreOS derrivation on quay.io/bluecmd/bluecmd-coreos and I am trying to figure out how I can restrict my CoreOS instance to only accept it as a rebase target. I am playing around with sudo rpm-ostree rebase ostree-image-signed:docker://quay.io/bluecmd/bluecmd-coreos:test and /etc/containers/policy.json but I cannot seem to get the rebase to fail - it always succeeds even

09:34 <bluecmd> though I am asking it to require signatures from /dev/null.

09:34 <bluecmd> This is the policy.json I am using: https://gist.github.com/bluecmd/ebb4ed778ffc4d6aa9849a4bc0619679

09:39 <bluecmd> Or am I thinking about this the wrong way -- should my derivation somehow sign the OSTree and I should auth the OSTree instead?

10:04 <apollo13[m]> bluecmd[m]: as far as I understood it /etc/containers/policy.jon is not yet consulted by the ostree tooling

10:04 <apollo13[m]> (but take that with a grain of salt)

10:05 <bluecmd> From what I have observed, it complains about the default setting in that file if it is set to insecureAlwaysAccept - so I assumed it cared about the contents of the policy

10:05 <apollo13[m]> mhm then I am probably wrong 🙂