scottk/coreos
1
0
Fork 0
mirror of https://github.com/optim-enterprises-bv/coreos.git synced 2025-10-30 09:32:28 +00:00
Code Issues Packages Projects Releases Wiki Activity

feat: use ublue-os-signing RPM from config (#177)

Browse Source
This commit is contained in:
Benjamin Sherman
2024-07-24 00:05:46 -05:00
committed by GitHub
parent 8aac1e85e2
commit 3839785999
6 changed files with 8 additions and 102 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
.github/workflows/reusable-build.yml vendored
View File

@@ -124,6 +124,7 @@ jobs:
podman pull ${{ env.IMAGE_REGISTRY }}/akmods:${{ env.KERNEL_FLAVOR }}-${{ env.FEDORA_VERSION }} podman pull ${{ env.IMAGE_REGISTRY }}/akmods:${{ env.KERNEL_FLAVOR }}-${{ env.FEDORA_VERSION }}
podman pull ${{ env.IMAGE_REGISTRY }}/akmods-nvidia:${{ env.KERNEL_FLAVOR }}-${{ env.FEDORA_VERSION }} podman pull ${{ env.IMAGE_REGISTRY }}/akmods-nvidia:${{ env.KERNEL_FLAVOR }}-${{ env.FEDORA_VERSION }}
podman pull ${{ env.IMAGE_REGISTRY }}/akmods-zfs:${{ env.KERNEL_FLAVOR }}-${{ env.FEDORA_VERSION }} podman pull ${{ env.IMAGE_REGISTRY }}/akmods-zfs:${{ env.KERNEL_FLAVOR }}-${{ env.FEDORA_VERSION }}
podman pull ${{ env.IMAGE_REGISTRY }}/config:latest
- name: Verify versions - name: Verify versions
shell: bash shell: bash
@@ -381,6 +382,7 @@ jobs:
podman pull ${{ env.IMAGE_REGISTRY }}/akmods:${{ env.KERNEL_FLAVOR }}-${{ env.FEDORA_VERSION }} podman pull ${{ env.IMAGE_REGISTRY }}/akmods:${{ env.KERNEL_FLAVOR }}-${{ env.FEDORA_VERSION }}
podman pull ${{ env.IMAGE_REGISTRY }}/akmods-nvidia:${{ env.KERNEL_FLAVOR }}-${{ env.FEDORA_VERSION }} podman pull ${{ env.IMAGE_REGISTRY }}/akmods-nvidia:${{ env.KERNEL_FLAVOR }}-${{ env.FEDORA_VERSION }}
podman pull ${{ env.IMAGE_REGISTRY }}/akmods-zfs:${{ env.KERNEL_FLAVOR }}-${{ env.FEDORA_VERSION }} podman pull ${{ env.IMAGE_REGISTRY }}/akmods-zfs:${{ env.KERNEL_FLAVOR }}-${{ env.FEDORA_VERSION }}
podman pull ${{ env.IMAGE_REGISTRY }}/config:latest
- name: Verify versions - name: Verify versions
shell: bash shell: bash

3
fedora-coreos/Containerfile
View File

@@ -7,10 +7,12 @@ ARG KERNEL_FLAVOR="${KERNEL_FLAVOR:-coreos-stable}"
ARG AKMODS_COMMON="${IMAGE_REGISTRY}/akmods:${KERNEL_FLAVOR}-${FEDORA_VERSION}" ARG AKMODS_COMMON="${IMAGE_REGISTRY}/akmods:${KERNEL_FLAVOR}-${FEDORA_VERSION}"
ARG AKMODS_NVIDIA="${IMAGE_REGISTRY}/akmods-nvidia:${KERNEL_FLAVOR}-${FEDORA_VERSION}" ARG AKMODS_NVIDIA="${IMAGE_REGISTRY}/akmods-nvidia:${KERNEL_FLAVOR}-${FEDORA_VERSION}"
ARG AKMODS_ZFS="${IMAGE_REGISTRY}/akmods-zfs:${KERNEL_FLAVOR}-${FEDORA_VERSION}" ARG AKMODS_ZFS="${IMAGE_REGISTRY}/akmods-zfs:${KERNEL_FLAVOR}-${FEDORA_VERSION}"
ARG CONFIG="${IMAGE_REGISTRY}/config:latest"
ARG KERNEL="${IMAGE_REGISTRY}/${KERNEL_FLAVOR}-kernel:${FEDORA_VERSION}" ARG KERNEL="${IMAGE_REGISTRY}/${KERNEL_FLAVOR}-kernel:${FEDORA_VERSION}"
FROM ${AKMODS_COMMON} AS akmods-common FROM ${AKMODS_COMMON} AS akmods-common
FROM ${AKMODS_NVIDIA} AS akmods-nvidia FROM ${AKMODS_NVIDIA} AS akmods-nvidia
FROM ${AKMODS_ZFS} AS akmods-zfs FROM ${AKMODS_ZFS} AS akmods-zfs
FROM ${CONFIG} AS config
FROM ${KERNEL} AS kernel FROM ${KERNEL} AS kernel
# image base # image base
@@ -26,6 +28,7 @@ COPY --from=akmods-common /rpms/ucore/ublue*.rpm /tmp/rpms/
COPY --from=akmods-nvidia /rpms/kmods/*.rpm /tmp/rpms/nvidia/ COPY --from=akmods-nvidia /rpms/kmods/*.rpm /tmp/rpms/nvidia/
COPY --from=akmods-nvidia /rpms/ucore/ublue*.rpm /tmp/rpms/nvidia/ COPY --from=akmods-nvidia /rpms/ucore/ublue*.rpm /tmp/rpms/nvidia/
COPY --from=akmods-zfs /rpms/kmods/zfs/*.rpm /tmp/rpms/zfs/ COPY --from=akmods-zfs /rpms/kmods/zfs/*.rpm /tmp/rpms/zfs/
COPY --from=config /rpms/ublue-os-signing*.rpm /tmp/rpms/
COPY --from=kernel /tmp/rpms/ /tmp/kernel-rpms/ COPY --from=kernel /tmp/rpms/ /tmp/kernel-rpms/
COPY *.sh /tmp/ COPY *.sh /tmp/

3
ucore/Containerfile
View File

@@ -7,10 +7,12 @@ ARG KERNEL_FLAVOR="${KERNEL_FLAVOR:-coreos-stable}"
ARG AKMODS_COMMON="${IMAGE_REGISTRY}/akmods:${KERNEL_FLAVOR}-${FEDORA_VERSION}" ARG AKMODS_COMMON="${IMAGE_REGISTRY}/akmods:${KERNEL_FLAVOR}-${FEDORA_VERSION}"
ARG AKMODS_NVIDIA="${IMAGE_REGISTRY}/akmods-nvidia:${KERNEL_FLAVOR}-${FEDORA_VERSION}" ARG AKMODS_NVIDIA="${IMAGE_REGISTRY}/akmods-nvidia:${KERNEL_FLAVOR}-${FEDORA_VERSION}"
ARG AKMODS_ZFS="${IMAGE_REGISTRY}/akmods-zfs:${KERNEL_FLAVOR}-${FEDORA_VERSION}" ARG AKMODS_ZFS="${IMAGE_REGISTRY}/akmods-zfs:${KERNEL_FLAVOR}-${FEDORA_VERSION}"
ARG CONFIG="${IMAGE_REGISTRY}/config:latest"
ARG KERNEL="${IMAGE_REGISTRY}/${KERNEL_FLAVOR}-kernel:${FEDORA_VERSION}" ARG KERNEL="${IMAGE_REGISTRY}/${KERNEL_FLAVOR}-kernel:${FEDORA_VERSION}"
FROM ${AKMODS_COMMON} AS akmods-common FROM ${AKMODS_COMMON} AS akmods-common
FROM ${AKMODS_NVIDIA} AS akmods-nvidia FROM ${AKMODS_NVIDIA} AS akmods-nvidia
FROM ${AKMODS_ZFS} AS akmods-zfs FROM ${AKMODS_ZFS} AS akmods-zfs
FROM ${CONFIG} AS config
FROM ${KERNEL} AS kernel FROM ${KERNEL} AS kernel
# ucore-minimal image section # ucore-minimal image section
@@ -31,6 +33,7 @@ COPY --from=akmods-common /rpms/ucore/ublue*.rpm /tmp/rpms/
COPY --from=akmods-nvidia /rpms/kmods/*.rpm /tmp/rpms/nvidia/ COPY --from=akmods-nvidia /rpms/kmods/*.rpm /tmp/rpms/nvidia/
COPY --from=akmods-nvidia /rpms/ucore/ublue*.rpm /tmp/rpms/nvidia/ COPY --from=akmods-nvidia /rpms/ucore/ublue*.rpm /tmp/rpms/nvidia/
COPY --from=akmods-zfs /rpms/kmods/zfs/*.rpm /tmp/rpms/zfs/ COPY --from=akmods-zfs /rpms/kmods/zfs/*.rpm /tmp/rpms/zfs/
COPY --from=config /rpms/ublue-os-signing*.rpm /tmp/rpms/
COPY --from=kernel /tmp/rpms/ /tmp/kernel-rpms/ COPY --from=kernel /tmp/rpms/ /tmp/kernel-rpms/
COPY *.sh /tmp/ COPY *.sh /tmp/

95
ucore/usr/etc/containers/policy.json
View File

@@ -1,95 +0,0 @@
{
"default": [
{
"type": "reject"
}
],
"transports": {
"docker": {
"registry.access.redhat.com": [
{
"type": "signedBy",
"keyType": "GPGKeys",
"keyPath": "/etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release"
}
],
"registry.redhat.io": [
{
"type": "signedBy",
"keyType": "GPGKeys",
"keyPath": "/etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release"
}
],
"ghcr.io/ublue-os": [
{
"type": "sigstoreSigned",
"keyPath": "/usr/etc/pki/containers/ublue-os.pub",
"signedIdentity": {
"type": "matchRepository"
}
}
],
"": [
{
"type": "insecureAcceptAnything"
}
]
},
"docker-daemon": {
"": [
{
"type": "insecureAcceptAnything"
}
]
},
"atomic": {
"": [
{
"type": "insecureAcceptAnything"
}
]
},
"containers-storage": {
"": [
{
"type": "insecureAcceptAnything"
}
]
},
"dir": {
"": [
{
"type": "insecureAcceptAnything"
}
]
},
"oci": {
"": [
{
"type": "insecureAcceptAnything"
}
]
},
"oci-archive": {
"": [
{
"type": "insecureAcceptAnything"
}
]
},
"docker-archive": {
"": [
{
"type": "insecureAcceptAnything"
}
]
},
"tarball": {
"": [
{
"type": "insecureAcceptAnything"
}
]
}
}
}

3
ucore/usr/etc/containers/registries.d/ublue-os.yaml
View File

@@ -1,3 +0,0 @@
docker:
ghcr.io/ublue-os:
use-sigstore-attachments: true

4
ucore/usr/etc/pki/containers/ublue-os.pub
View File

@@ -1,4 +0,0 @@
-----BEGIN PUBLIC KEY-----
MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE7lh7fJMV4dBT2jT1XafixUJa7OVA
cT+QFVD8IfIJIS/KBAc8hx1aslzkH3tfeM0cwyCLB7kOStZ4sh6RyFQD9w==
-----END PUBLIC KEY-----