org.osbuild.ostree.sign: Support ostree sign to sign commits
This form of signatures has been (build-time-optionally) supported since ostree 2020.4 as an alternative to the old gpg signatures. With the current work on composefs[1] they are becomming more important, as they will allow verification of the commit (and thus the composefs image) during boot, giving us a full trusted boot chain all the way into the ostree userspace. Note: `ostree sign` used to require libsodium and was thus disabled in e.g. the Fedora build of ostree. However, recently[2] it is also supported with openssl, which will let it be more widely used. [1] https://github.com/ostreedev/ostree/pull/2921 [2] https://github.com/ostreedev/ostree/pull/2922
This commit is contained in:
Alexander Larsson
Alexander Larsson
parent
9185d8e1ce
commit
cf00c5b214
1 changed files with 55 additions and 0 deletions
55
stages/org.osbuild.ostree.sign
Executable file
55
stages/org.osbuild.ostree.sign
Executable file
|
|
@ -0,0 +1,55 @@
|
|||
#!/usr/bin/python3
|
||||
"""Sign a commit in an ostree repo
|
||||
|
||||
Given an ostree commit (referenced by a ref) in a repo and an ed25519
|
||||
secret key this adds a signature to the commit detached metadata.
|
||||
This commit can then be used to validate the commit, during ostree
|
||||
pull, during boot, or at any other time.
|
||||
|
||||
"""
|
||||
|
||||
import os
|
||||
import sys
|
||||
|
||||
from osbuild import api
|
||||
from osbuild.util import ostree
|
||||
|
||||
SCHEMA_2 = r"""
|
||||
"options": {
|
||||
"additionalProperties": false,
|
||||
"required": ["repo", "ref", "key"],
|
||||
"properties": {
|
||||
"repo": {
|
||||
"description": "Location of the OSTree repo.",
|
||||
"type": "string"
|
||||
},
|
||||
"ref": {
|
||||
"description": "OSTree branch name or commit to sign",
|
||||
"type": "string",
|
||||
"default": ""
|
||||
},
|
||||
"key": {
|
||||
"description": "Path to the secret key",
|
||||
"type": "string",
|
||||
"pattern": "^\\/(?!\\.\\.)((?!\\/\\.\\.\\/).)+$"
|
||||
}
|
||||
}
|
||||
}
|
||||
"""
|
||||
|
||||
|
||||
def main(tree, options):
|
||||
repo = os.path.join(tree, options["repo"].lstrip("/"))
|
||||
ref = options["ref"]
|
||||
keyfile = os.path.join(tree, options["key"].lstrip("/"))
|
||||
|
||||
ostree.cli("sign", ref, **{"repo": repo, "keys-file": keyfile})
|
||||
|
||||
|
||||
if __name__ == '__main__':
|
||||
stage_args = api.arguments()
|
||||
|
||||
r = main(stage_args["tree"],
|
||||
stage_args["options"])
|
||||
|
||||
sys.exit(r)
|
||||
Loading…
Add table
Add a link
Reference in a new issue