From 2ff118dbdc7a0553bb4bf6c21e167607d0bdc34d Mon Sep 17 00:00:00 2001 From: gerblesh <101901964+gerblesh@users.noreply.github.com> Date: Sat, 3 Feb 2024 02:30:01 -0800 Subject: [PATCH] feat: add signing module to replace `signing.sh` (#111) * feat: signing module * docs: add docs for `signing` module * fix(signing.sh): add space to if Co-authored-by: Gerald Pinder * fix(signing): grammar in README and formatting in signing.sh * fix: only modify image-info.json * fix: typo in image vendor name --------- Co-authored-by: Gerald Pinder --- modules/signing/README.md | 3 + modules/signing/image-info.json | 6 ++ modules/signing/policy.json | 86 ++++++++++++++++++++++++++++ modules/signing/registry-config.yaml | 3 + modules/signing/signing.sh | 56 ++++++++++++++++++ 5 files changed, 154 insertions(+) create mode 100644 modules/signing/README.md create mode 100644 modules/signing/image-info.json create mode 100644 modules/signing/policy.json create mode 100644 modules/signing/registry-config.yaml create mode 100644 modules/signing/signing.sh diff --git a/modules/signing/README.md b/modules/signing/README.md new file mode 100644 index 0000000..13e5afc --- /dev/null +++ b/modules/signing/README.md @@ -0,0 +1,3 @@ +# `signing` Module for Startingpoint + +The `signing` module is used to install the required signing policies for cosign image verification with [`rpm-ostree`](https://github.com/coreos/rpm-ostree) and [`bootc`](https://github.com/containers/bootc). This module is the successor to the signing.sh script that previously existed in the template, and it allows for basing off of non-Universal-Blue Fedora base images. diff --git a/modules/signing/image-info.json b/modules/signing/image-info.json new file mode 100644 index 0000000..6522f5e --- /dev/null +++ b/modules/signing/image-info.json @@ -0,0 +1,6 @@ +{ + "image-ref": "IMAGE_REF", + "image-tag": "latest", + "image-vendor": "bluebuild", + "fedora-version": "FEDORA_MAJOR_VERSION" +} diff --git a/modules/signing/policy.json b/modules/signing/policy.json new file mode 100644 index 0000000..d4c7ba2 --- /dev/null +++ b/modules/signing/policy.json @@ -0,0 +1,86 @@ +{ + "default": [ + { + "type": "reject" + } + ], + "transports": { + "docker": { + "registry.access.redhat.com": [ + { + "type": "signedBy", + "keyType": "GPGKeys", + "keyPath": "/etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release" + } + ], + "registry.redhat.io": [ + { + "type": "signedBy", + "keyType": "GPGKeys", + "keyPath": "/etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release" + } + ], + "": [ + { + "type": "insecureAcceptAnything" + } + ] + }, + "docker-daemon": { + "": [ + { + "type": "insecureAcceptAnything" + } + ] + }, + "atomic": { + "": [ + { + "type": "insecureAcceptAnything" + } + ] + }, + "containers-storage": { + "": [ + { + "type": "insecureAcceptAnything" + } + ] + }, + "dir": { + "": [ + { + "type": "insecureAcceptAnything" + } + ] + }, + "oci": { + "": [ + { + "type": "insecureAcceptAnything" + } + ] + }, + "oci-archive": { + "": [ + { + "type": "insecureAcceptAnything" + } + ] + }, + "docker-archive": { + "": [ + { + "type": "insecureAcceptAnything" + } + ] + }, + "tarball": { + "": [ + { + "type": "insecureAcceptAnything" + } + ] + } + } +} diff --git a/modules/signing/registry-config.yaml b/modules/signing/registry-config.yaml new file mode 100644 index 0000000..179d45e --- /dev/null +++ b/modules/signing/registry-config.yaml @@ -0,0 +1,3 @@ +docker: + ghcr.io/IMAGENAME: + use-sigstore-attachments: true diff --git a/modules/signing/signing.sh b/modules/signing/signing.sh new file mode 100644 index 0000000..30c132e --- /dev/null +++ b/modules/signing/signing.sh @@ -0,0 +1,56 @@ +#!/usr/bin/env bash + +# Tell build process to exit if there are any errors. +set -oue pipefail + +CONTAINER_DIR="/usr/etc/containers" +MODULE_DIRECTORY="${MODULE_DIRECTORY:-"/tmp/modules"}" + +echo "Setting up container signing in policy.json and cosign.yaml for $IMAGE_NAME" +echo "Registry to write: $IMAGE_REGISTRY" + +if ! [ -d "$CONTAINER_DIR" ]; then + mkdir -p "$CONTAINER_DIR" +fi + +if ! [ -d $CONTAINER_DIR/registries.d ]; then + mkdir -p "$CONTAINER_DIR/registries.d" +fi + +if ! [ -d "/usr/etc/pki/containers" ]; then + mkdir -p "/usr/etc/pki/containers" +fi + +if ! [ -f "$CONTAINER_DIR/policy.json" ]; then + cp "$MODULE_DIRECTORY/signing/policy.json" "$CONTAINER_DIR/policy.json" +fi + +if ! [ -f "/usr/share/ublue-os/image-info.json" ]; then + cp "$MODULE_DIRECTORY/signing/image-info.json" "usr/share/ublue-os/image-info.json" +fi + + +mv "/usr/share/ublue-os/cosign.pub" "$CONTAINER_DIR/$IMAGE_NAME".pub + +POLICY_FILE="$CONTAINER_DIR/policy.json" +IMAGE_INFO="/usr/share/ublue-os/image-info.json" + +yq -i -o=j '.transports.docker |= + {"'"$IMAGE_REGISTRY"'/'"$IMAGE_NAME"'": [ + { + "type": "sigstoreSigned", + "keyPath": "/usr/etc/pki/containers/'"$IMAGE_NAME"'.pub", + "signedIdentity": { + "type": "matchRepository" + } + } + ] + } ++ .' "$POLICY_FILE" + +IMAGE_REF="ostree-image-signed:docker://$IMAGE_REGISTRY/$IMAGE_NAME" +# Sets image-info.json used by ublue-update for auto-rebase workaround. Used by both bazzite and bluefin +yq -i -o=j '.image-ref="'"$IMAGE_REF"'" | .fedora-version="'"$OS_VERSION"'"' "$IMAGE_INFO" + +mv "$MODULE_DIRECTORY/signing/registry-config.yaml" "$CONTAINER_DIR/registries.d/$IMAGE_NAME.yaml" +sed -i "s ghcr.io/IMAGENAME $IMAGE_REGISTRY g" "$CONTAINER_DIR/registries.d/$IMAGE_NAME.yaml"