I recently discovered an issue with container policy configuration in Soltros OS. The problem? My policy.json configuration wasn't keeping up with the growing family of image variants. If you've been hitting issues with bootc upgrades or Distrobox, this is why—and here's how I fixed it.

What Went Wrong

Soltros started with a single image: soltros-os. My policy.json was configured for that specific image path. Simple enough.

Then I added more variants: soltros-os_lts, soltros-lts_cosmic, soltros-unstable_cosmic, and GNOME editions. Each new variant got its own image path. But the policy file? Still only knew about the original image.

The result: bootc was pulling images with ostree-unverified-registry in the status output, and for some users, Distrobox was getting blocked by overly strict policies that shouldn't have applied to third-party container images.

The Fix

I've updated policy.json to properly handle all Soltros image variants while keeping Distrobox and other container tools working smoothly. The new configuration allows all Soltros images and third-party containers to work without friction.

For Users: Emergency Fix Script

If you're experiencing issues right now, I've released an emergency fix script. Download and run it: 

curl -sSL https://raw.githubusercontent.com/soltros/Soltros-OS-Components/refs/heads/master/emergency-policy-fix.sh -o fix-policy.sh
chmod +x fix-policy.sh
sudo ./fix-policy.sh

The script backs up your existing configuration, installs the corrected policy, and verifies everything is working. It's safe to run—if anything goes wrong, it automatically rolls back to your backup.

What Changed in the Build

Future Soltros images will ship with the correct policy.json from the start. The updated policy covers all current image variants:

Everything works now—Soltros OS images, Fedora base images, Ubuntu containers for Distrobox, whatever you need.

About Image Signing

Soltros OS images are signed with cosign for supply chain transparency. You can verify signatures manually if you want to confirm image authenticity. However, enforced signature verification at the system level isn't enabled yet.

Why? The container signature verification ecosystem is still maturing. Tools like cosign and GPG don't integrate seamlessly with bootc/podman policy enforcement yet. Rather than ship a half-working security feature that might break updates, I'm following the approach used by other community immutable distributions: sign images for transparency, but don't enforce verification on user systems.

When the tooling matures and proper signature storage infrastructure is in place, I'll revisit enforced signature verification. For now, you're trusting GitHub Container Registry's infrastructure. This is the same infrastructure that major projects like Universal Blue rely on.

Moving Forward

This is part of the learning process with an immutable OS. Policy files need to evolve alongside the distribution. I'm still figuring out the best way to handle this. Maybe there's a better approach than manually listing every image variant.

If you hit issues after running the fix script, or if you're seeing something I missed, let me know. I'm on GitHub and responsive to issues.

Soltros OS is still early. Problems like this are going to happen. But I'm committed to fixing them quickly and keeping the system reliable for the people using it.