From 23d8b2dddb19fa739133dd4a385d65b46ca2d22f Mon Sep 17 00:00:00 2001 From: gerblesh <101901964+gerblesh@users.noreply.github.com> Date: Sat, 22 Jul 2023 22:07:25 -0700 Subject: [PATCH 1/3] refactor: clean up image signing to line up more with upstream --- Containerfile | 2 - scripts/build.sh | 13 ++-- usr/etc/containers/policy.json | 74 --------------------- usr/etc/containers/registries.d/cosign.yaml | 3 - 4 files changed, 7 insertions(+), 85 deletions(-) delete mode 100644 usr/etc/containers/policy.json delete mode 100644 usr/etc/containers/registries.d/cosign.yaml diff --git a/Containerfile b/Containerfile index c86846f..9b59903 100644 --- a/Containerfile +++ b/Containerfile @@ -29,8 +29,6 @@ COPY usr /usr # Copy public key COPY cosign.pub /usr/etc/pki/containers/cosign.pub -# Copy base signing config -COPY usr/etc/containers /usr/etc/ # Copy the recipe that we're building. COPY ${RECIPE} /usr/share/ublue-os/recipe.yml diff --git a/scripts/build.sh b/scripts/build.sh index b6d5ac6..1a42d8c 100644 --- a/scripts/build.sh +++ b/scripts/build.sh @@ -22,12 +22,6 @@ YAFTI_ENABLED="$(get_yaml_string '.firstboot.yafti')" # Welcome. echo "Building custom Fedora ${FEDORA_VERSION} from image: \"${BASE_IMAGE}\"." -# Setup container signing -echo "Setup container signing in policy.json and cosign.yaml" -echo "Registry to write: $IMAGE_REGISTRY" -sed -i "s ghcr.io/ublue-os $IMAGE_REGISTRY g" /usr/etc/containers/policy.json -sed -i "s ghcr.io/ublue-os $IMAGE_REGISTRY g" /usr/etc/containers/registries.d/cosign.yaml - # Add custom repos. get_yaml_array repos '.rpm.repos[]' if [[ ${#repos[@]} -gt 0 ]]; then @@ -111,5 +105,12 @@ if [[ "${YAFTI_ENABLED}" == "true" ]]; then fi fi +# Setup container signing +echo "Setup container signing in policy.json and cosign.yaml" +echo "Registry to write: $IMAGE_REGISTRY" +sed -i "s ghcr.io/ublue-os $IMAGE_REGISTRY g" /usr/etc/containers/policy.json +sed -i "s ublue-os.pub cosign.pub g" /usr/etc/containers/policy.json +sed -i "s ghcr.io/ublue-os $IMAGE_REGISTRY g" /usr/etc/containers/registries.d/cosign.yaml + # Run "post" scripts. run_scripts "post" diff --git a/usr/etc/containers/policy.json b/usr/etc/containers/policy.json deleted file mode 100644 index aa4e3ee..0000000 --- a/usr/etc/containers/policy.json +++ /dev/null @@ -1,74 +0,0 @@ -{ - "default": [ - { - "type": "reject" - } - ], - "transports": { - "docker": { - "registry.access.redhat.com": [ - { - "type": "signedBy", - "keyType": "GPGKeys", - "keyPath": "/etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release" - } - ], - "registry.redhat.io": [ - { - "type": "signedBy", - "keyType": "GPGKeys", - "keyPath": "/etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release" - } - ], - "ghcr.io/ublue-os": [ - { - "type": "sigstoreSigned", - "keyPath": "/usr/etc/pki/containers/cosign.pub", - "signedIdentity": { - "type": "matchRepository" - } - } - ], - "": [ - { - "type": "insecureAcceptAnything" - } - ] - }, - "docker-daemon": { - "": [ - { - "type": "insecureAcceptAnything" - } - ] - }, - "atomic": { - "": [ - { - "type": "insecureAcceptAnything" - } - ] - }, - "dir": { - "": [ - { - "type": "insecureAcceptAnything" - } - ] - }, - "oci": { - "": [ - { - "type": "insecureAcceptAnything" - } - ] - }, - "tarball": { - "": [ - { - "type": "insecureAcceptAnything" - } - ] - } - } -} diff --git a/usr/etc/containers/registries.d/cosign.yaml b/usr/etc/containers/registries.d/cosign.yaml deleted file mode 100644 index 24b197f..0000000 --- a/usr/etc/containers/registries.d/cosign.yaml +++ /dev/null @@ -1,3 +0,0 @@ -docker: - ghcr.io/ublue-os: - use-sigstore-attachments: true From 211a7b05a82ddda18c63f9a239f7726f119cb935 Mon Sep 17 00:00:00 2001 From: gerblesh <101901964+gerblesh@users.noreply.github.com> Date: Sat, 22 Jul 2023 23:37:13 -0700 Subject: [PATCH 2/3] feat: add signature rather than replace to allow rebasing back to uBlue main --- scripts/build.sh | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) diff --git a/scripts/build.sh b/scripts/build.sh index 1a42d8c..3008878 100644 --- a/scripts/build.sh +++ b/scripts/build.sh @@ -108,8 +108,16 @@ fi # Setup container signing echo "Setup container signing in policy.json and cosign.yaml" echo "Registry to write: $IMAGE_REGISTRY" -sed -i "s ghcr.io/ublue-os $IMAGE_REGISTRY g" /usr/etc/containers/policy.json -sed -i "s ublue-os.pub cosign.pub g" /usr/etc/containers/policy.json + +jq '.transports.docker."$IMAGE_REGISTRY" += [{ +"type": "sigstoreSigned", +"keyPath": "/usr/etc/pki/containers/cosign.pub", +"signedIdentity": { + "type": "matchRepository" +} +}]' /usr/etc/containers/policy.json > /usr/etc/containers/policy.json + +cp /usr/etc/containers/registries.d/ublue-os.yaml /usr/etc/containers/registries.d/cosign.yaml sed -i "s ghcr.io/ublue-os $IMAGE_REGISTRY g" /usr/etc/containers/registries.d/cosign.yaml # Run "post" scripts. From e85e8f6304a259968141e1b2e35364d8839ed772 Mon Sep 17 00:00:00 2001 From: gerblesh <101901964+gerblesh@users.noreply.github.com> Date: Sat, 22 Jul 2023 23:40:33 -0700 Subject: [PATCH 3/3] style: format whitespace --- scripts/build.sh | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/scripts/build.sh b/scripts/build.sh index 3008878..3f25615 100644 --- a/scripts/build.sh +++ b/scripts/build.sh @@ -110,11 +110,11 @@ echo "Setup container signing in policy.json and cosign.yaml" echo "Registry to write: $IMAGE_REGISTRY" jq '.transports.docker."$IMAGE_REGISTRY" += [{ -"type": "sigstoreSigned", -"keyPath": "/usr/etc/pki/containers/cosign.pub", -"signedIdentity": { + "type": "sigstoreSigned", + "keyPath": "/usr/etc/pki/containers/cosign.pub", + "signedIdentity": { "type": "matchRepository" -} + } }]' /usr/etc/containers/policy.json > /usr/etc/containers/policy.json cp /usr/etc/containers/registries.d/ublue-os.yaml /usr/etc/containers/registries.d/cosign.yaml