[Podman] Chicken-and-egg problem with image signatures on CoreOS

Hello! I've been bounced around a couple of forums and was told that this was probably the best place to ask the question... https://discussion.fedoraproject.org/t/chicken-and-egg-problem-with-image... Essentially: * I want to set up multiple CoreOS VMs. * CoreOS depends on being able to run all services from containers. * I want to use podman, because all of my services can run without privileges, and podman seems "better" in general. * I only want to run code from signed images from sources that I trust. Running random Docker images doesn't really cut it. * Setting up a registry appears to require running unsigned code, because podman can't check the docker.io signatures, and podman and docker "should not" be run alongside each other on the same system. * Securing communications to the registry with TLS realistically involves running an ACME client. * Paradoxically, running an ACME client probably involves grabbing an ACME client image from the registry that I'm trying to set up. :) I can see a few ways out of this situation, but all of the various approaches seem to involve running rather a lot of infrastructure just to get roughly the same level of security that I'd get with ordinary signed packages "for free" on FreeBSD or a Debian-based distro. Is there a better way to do this? -- Mark Raynsford | https://www.io7m.com