Merge pull request #117 from gerblesh/image-signing

refactor: clean up image signing to line up more with upstream
2025-11-07 13:58:03 +00:00 · 2023-07-23 12:55:55 -04:00
parent 50c6629181 e85e8f6304
commit ebdc55ccec
4 changed files with 15 additions and 85 deletions
--- a/2
+++ b/2
@@ -29,8 +29,6 @@ COPY usr /usr

 # Copy public key
 COPY cosign.pub /usr/etc/pki/containers/cosign.pub
-# Copy base signing config
-COPY usr/etc/containers /usr/etc/

 # Copy the recipe that we're building.
 COPY ${RECIPE} /usr/share/ublue-os/recipe.yml
--- a/scripts/build.sh
+++ b/scripts/build.sh
@@ -22,12 +22,6 @@ YAFTI_ENABLED="$(get_yaml_string '.firstboot.yafti')"
 # Welcome.
 echo "Building custom Fedora ${FEDORA_VERSION} from image: \"${BASE_IMAGE}\"."

-# Setup container signing
-echo "Setup container signing in policy.json and cosign.yaml"
-echo "Registry to write: $IMAGE_REGISTRY"
-sed -i "s ghcr.io/ublue-os $IMAGE_REGISTRY g" /usr/etc/containers/policy.json
-sed -i "s ghcr.io/ublue-os $IMAGE_REGISTRY g" /usr/etc/containers/registries.d/cosign.yaml
-
 # Add custom repos.
 get_yaml_array repos '.rpm.repos[]'
 if [[ ${#repos[@]} -gt 0 ]]; then
@@ -111,5 +105,20 @@ if [[ "${YAFTI_ENABLED}" == "true" ]]; then
    fi
 fi

+# Setup container signing
+echo "Setup container signing in policy.json and cosign.yaml"
+echo "Registry to write: $IMAGE_REGISTRY"
+
+jq '.transports.docker."$IMAGE_REGISTRY" += [{
+    "type": "sigstoreSigned",
+    "keyPath": "/usr/etc/pki/containers/cosign.pub",
+    "signedIdentity": {
+        "type": "matchRepository"
+    }
+}]' /usr/etc/containers/policy.json > /usr/etc/containers/policy.json
+
+cp /usr/etc/containers/registries.d/ublue-os.yaml /usr/etc/containers/registries.d/cosign.yaml
+sed -i "s ghcr.io/ublue-os $IMAGE_REGISTRY g" /usr/etc/containers/registries.d/cosign.yaml
+
 # Run "post" scripts.
 run_scripts "post"
--- a/usr/etc/containers/policy.json
+++ b/usr/etc/containers/policy.json
@@ -1,74 +0,0 @@
-{
-    "default": [
-        {
-            "type": "reject"
-        }
-    ],
-    "transports": {
-        "docker": {
-            "registry.access.redhat.com": [
-                {
-                    "type": "signedBy",
-                    "keyType": "GPGKeys",
-                    "keyPath": "/etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release"
-                }
-            ],
-            "registry.redhat.io": [
-                {
-                    "type": "signedBy",
-                    "keyType": "GPGKeys",
-                    "keyPath": "/etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release"
-                }
-            ],
-            "ghcr.io/ublue-os": [
-                {
-                    "type": "sigstoreSigned",
-                    "keyPath": "/usr/etc/pki/containers/cosign.pub",
-                    "signedIdentity": {
-                        "type": "matchRepository"
-                    }
-                }
-            ],
-            "": [
-                {
-                    "type": "insecureAcceptAnything"
-                }
-            ]
-        },
-        "docker-daemon": {
-            "": [
-                {
-                    "type": "insecureAcceptAnything"
-                }
-            ]
-        },
-        "atomic": {
-            "": [
-                {
-                    "type": "insecureAcceptAnything"
-                }
-            ]
-        },
-        "dir": {
-            "": [
-                {
-                    "type": "insecureAcceptAnything"
-                }
-            ]
-        },
-        "oci": {
-            "": [
-                {
-                    "type": "insecureAcceptAnything"
-                }
-            ]
-        },
-        "tarball": {
-            "": [
-                {
-                    "type": "insecureAcceptAnything"
-                }
-            ]
-        }
-    }
-}
--- a/usr/etc/containers/registries.d/cosign.yaml
+++ b/usr/etc/containers/registries.d/cosign.yaml
@@ -1,3 +0,0 @@
-docker:
-  ghcr.io/ublue-os:
-    use-sigstore-attachments: true