diff --git a/Containerfile b/Containerfile index c86846f..9b59903 100644 --- a/Containerfile +++ b/Containerfile @@ -29,8 +29,6 @@ COPY usr /usr # Copy public key COPY cosign.pub /usr/etc/pki/containers/cosign.pub -# Copy base signing config -COPY usr/etc/containers /usr/etc/ # Copy the recipe that we're building. COPY ${RECIPE} /usr/share/ublue-os/recipe.yml diff --git a/scripts/build.sh b/scripts/build.sh index b6d5ac6..3f25615 100644 --- a/scripts/build.sh +++ b/scripts/build.sh @@ -22,12 +22,6 @@ YAFTI_ENABLED="$(get_yaml_string '.firstboot.yafti')" # Welcome. echo "Building custom Fedora ${FEDORA_VERSION} from image: \"${BASE_IMAGE}\"." -# Setup container signing -echo "Setup container signing in policy.json and cosign.yaml" -echo "Registry to write: $IMAGE_REGISTRY" -sed -i "s ghcr.io/ublue-os $IMAGE_REGISTRY g" /usr/etc/containers/policy.json -sed -i "s ghcr.io/ublue-os $IMAGE_REGISTRY g" /usr/etc/containers/registries.d/cosign.yaml - # Add custom repos. get_yaml_array repos '.rpm.repos[]' if [[ ${#repos[@]} -gt 0 ]]; then @@ -111,5 +105,20 @@ if [[ "${YAFTI_ENABLED}" == "true" ]]; then fi fi +# Setup container signing +echo "Setup container signing in policy.json and cosign.yaml" +echo "Registry to write: $IMAGE_REGISTRY" + +jq '.transports.docker."$IMAGE_REGISTRY" += [{ + "type": "sigstoreSigned", + "keyPath": "/usr/etc/pki/containers/cosign.pub", + "signedIdentity": { + "type": "matchRepository" + } +}]' /usr/etc/containers/policy.json > /usr/etc/containers/policy.json + +cp /usr/etc/containers/registries.d/ublue-os.yaml /usr/etc/containers/registries.d/cosign.yaml +sed -i "s ghcr.io/ublue-os $IMAGE_REGISTRY g" /usr/etc/containers/registries.d/cosign.yaml + # Run "post" scripts. run_scripts "post" diff --git a/usr/etc/containers/policy.json b/usr/etc/containers/policy.json deleted file mode 100644 index aa4e3ee..0000000 --- a/usr/etc/containers/policy.json +++ /dev/null @@ -1,74 +0,0 @@ -{ - "default": [ - { - "type": "reject" - } - ], - "transports": { - "docker": { - "registry.access.redhat.com": [ - { - "type": "signedBy", - "keyType": "GPGKeys", - "keyPath": "/etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release" - } - ], - "registry.redhat.io": [ - { - "type": "signedBy", - "keyType": "GPGKeys", - "keyPath": "/etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release" - } - ], - "ghcr.io/ublue-os": [ - { - "type": "sigstoreSigned", - "keyPath": "/usr/etc/pki/containers/cosign.pub", - "signedIdentity": { - "type": "matchRepository" - } - } - ], - "": [ - { - "type": "insecureAcceptAnything" - } - ] - }, - "docker-daemon": { - "": [ - { - "type": "insecureAcceptAnything" - } - ] - }, - "atomic": { - "": [ - { - "type": "insecureAcceptAnything" - } - ] - }, - "dir": { - "": [ - { - "type": "insecureAcceptAnything" - } - ] - }, - "oci": { - "": [ - { - "type": "insecureAcceptAnything" - } - ] - }, - "tarball": { - "": [ - { - "type": "insecureAcceptAnything" - } - ] - } - } -} diff --git a/usr/etc/containers/registries.d/cosign.yaml b/usr/etc/containers/registries.d/cosign.yaml deleted file mode 100644 index 24b197f..0000000 --- a/usr/etc/containers/registries.d/cosign.yaml +++ /dev/null @@ -1,3 +0,0 @@ -docker: - ghcr.io/ublue-os: - use-sigstore-attachments: true