From 5b23c1835ae6656cb118cf7f8e3e84815e0fbed5 Mon Sep 17 00:00:00 2001
From: Will Shanks <wshaos@posteo.net>
Date: Tue, 14 Apr 2026 12:07:23 -0400
Subject: [PATCH] Add sigstore verification for registry.access.redhat.com

Bluefin LTS uses a CentOS base that does not include the gpg key for registry.access.redhat.com. It does have the sigstore key though. Here the sigstore method is added to policy.json. This addition avoids signature verification failure when trying to pull images from registry.access.redhat.com (like the ubi images) with podman on Bluefin LTS.

See https://github.com/ublue-os/bluefin-lts/issues/1292 for more context.
---
 system_files/shared/etc/containers/policy.json | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/system_files/shared/etc/containers/policy.json b/system_files/shared/etc/containers/policy.json
index 20be49f5..e10094e3 100644
--- a/system_files/shared/etc/containers/policy.json
+++ b/system_files/shared/etc/containers/policy.json
@@ -11,6 +11,13 @@
                     "type": "signedBy",
                     "keyType": "GPGKeys",
                     "keyPath": "/etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release"
+                },
+                {
+                    "type": "sigstoreSigned",
+                    "keyPath": "/etc/pki/sigstore/SIGSTORE-redhat-release3",
+                    "signedIdentity": {
+                        "type": "matchRepository"
+                    }
                 }
             ],
             "registry.redhat.io": [