From de4e3fb80ec3caf7f51b3835fd7f7b0bf038d0db Mon Sep 17 00:00:00 2001
From: Will Shanks <wshaos@posteo.net>
Date: Mon, 13 Apr 2026 15:30:45 -0400
Subject: [PATCH] Add sigstore verification for registry.access.redhat.com

Bluefin LTS uses a CentOS base that does not include the gpg key for registry.access.redhat.com. It does have the sigstore key though. Here the sigstore method is added to policy.json. This addition avoids signature verification failure when trying to pull images from registry.access.redhat.com (like the ubi images) with podman on Bluefin LTS.

See https://github.com/ublue-os/bluefin-lts/issues/1292 for more context.
---
 .../ublue-os-signing/src/usr/etc/containers/policy.json    | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/packages/ublue-os-signing/src/usr/etc/containers/policy.json b/packages/ublue-os-signing/src/usr/etc/containers/policy.json
index 9fbe0e56f..2f5b9fdb8 100644
--- a/packages/ublue-os-signing/src/usr/etc/containers/policy.json
+++ b/packages/ublue-os-signing/src/usr/etc/containers/policy.json
@@ -11,6 +11,13 @@
                     "type": "signedBy",
                     "keyType": "GPGKeys",
                     "keyPath": "/etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release"
+                },
+                {
+                    "type": "sigstoreSigned",
+                    "keyPath": "/etc/pki/sigstore/SIGSTORE-redhat-release3",
+                    "signedIdentity": {
+                        "type": "matchRepository"
+                    }
                 }
             ],
             "registry.redhat.io": [