This document explains how to add a pair of signing keys to your Quay Enterprise installation allowing Quay to sign container images after converting them to ACI format.
Download the files aci-signing-key-batch and generate-signing-keys.sh next to your configuration directory.
Make generate-signing-keys.sh
executable:
chmod +x generate-signing-keys.sh
Edit the aci-signing-key-batch configuration, replacing the email address, name, and comment with values appropriate for your site.
Run the generate script, giving the name of an output directory as the argument:
./generate-signing-keys.sh outputdir
The script will create a pair of files beneath the given directory named signing-private.gpg
and signing-public.gpg
.
Generating initial keys
gpg: Generating a default key
gpg: done
Generating public signing key
Determining private key
Exporting private signing key
Private key name: CBFB447F
Cleaning up
Emitted outputdir/signing-private.gpg and outputdir/signing-public.gpg
Take note of the private key's name (example from above: CBFB447F
)
Visit the Quay superuser panel. Upload the pair of key files, and enter the generated private key name. Save the configuration and restart Quay Enterprise to enable signing of converted ACIs.