Merge branch 'template' into image-signing

2025-11-07 13:58:03 +00:00 · 2023-07-23 19:45:43 -07:00
parent cf41e52129 b6eb19c105
commit 28735a25ae
3 changed files with 83 additions and 0 deletions
--- a/scripts/build.sh
+++ b/scripts/build.sh
@@ -22,6 +22,12 @@ YAFTI_ENABLED="$(get_yaml_string '.firstboot.yafti')"
 # Welcome.
 echo "Building custom Fedora ${FEDORA_VERSION} from image: \"${BASE_IMAGE}\"."
 # Setup container signing
 echo "Setup container signing in policy.json and cosign.yaml"
 echo "Registry to write: $IMAGE_REGISTRY"
 sed -i "s ghcr.io/ublue-os $IMAGE_REGISTRY g" /usr/etc/containers/policy.json
 sed -i "s ghcr.io/ublue-os $IMAGE_REGISTRY g" /usr/etc/containers/registries.d/cosign.yaml
 # Add custom repos.
 get_yaml_array repos '.rpm.repos[]'
 if [[ ${#repos[@]} -gt 0 ]]; then
--- a/usr/etc/containers/policy.json
+++ b/usr/etc/containers/policy.json
@@ -0,0 +1,74 @@
 {
    "default": [
        {
            "type": "reject"
        }
    ],
    "transports": {
        "docker": {
            "registry.access.redhat.com": [
                {
                    "type": "signedBy",
                    "keyType": "GPGKeys",
                    "keyPath": "/etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release"
                }
            ],
            "registry.redhat.io": [
                {
                    "type": "signedBy",
                    "keyType": "GPGKeys",
                    "keyPath": "/etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release"
                }
            ],
            "ghcr.io/ublue-os": [
                {
                    "type": "sigstoreSigned",
                    "keyPath": "/usr/etc/pki/containers/cosign.pub",
                    "signedIdentity": {
                        "type": "matchRepository"
                    }
                }
            ],
            "": [
                {
                    "type": "insecureAcceptAnything"
                }
            ]
        },
        "docker-daemon": {
            "": [
                {
                    "type": "insecureAcceptAnything"
                }
            ]
        },
        "atomic": {
            "": [
                {
                    "type": "insecureAcceptAnything"
                }
            ]
        },
        "dir": {
            "": [
                {
                    "type": "insecureAcceptAnything"
                }
            ]
        },
        "oci": {
            "": [
                {
                    "type": "insecureAcceptAnything"
                }
            ]
        },
        "tarball": {
            "": [
                {
                    "type": "insecureAcceptAnything"
                }
            ]
        }
    }
 }
--- a/usr/etc/containers/registries.d/cosign.yaml
+++ b/usr/etc/containers/registries.d/cosign.yaml
@@ -0,0 +1,3 @@
 docker:
  ghcr.io/ublue-os:
    use-sigstore-attachments: true