feat: add signing module to replace signing.sh (#111)

* feat: signing module * docs: add docs for `signing` module * fix(signing.sh): add space to if Co-authored-by: Gerald Pinder <gmpinder@gmail.com> * fix(signing): grammar in README and formatting in signing.sh * fix: only modify image-info.json * fix: typo in image vendor name --------- Co-authored-by: Gerald Pinder <gmpinder@gmail.com>
2024-02-03 02:30:01 -08:00 · 2024-02-03 02:30:01 -08:00 · 2ff118dbdc
commit 2ff118dbdc
parent b528a0acc9
5 changed files with 154 additions and 0 deletions
--- a/modules/signing/README.md
+++ b/modules/signing/README.md
@ -0,0 +1,3 @@
+# `signing` Module for Startingpoint
+
+The `signing` module is used to install the required signing policies for cosign image verification with [`rpm-ostree`](https://github.com/coreos/rpm-ostree) and [`bootc`](https://github.com/containers/bootc). This module is the successor to the signing.sh script that previously existed in the template, and it allows for basing off of non-Universal-Blue Fedora base images.
--- a/modules/signing/image-info.json
+++ b/modules/signing/image-info.json
@ -0,0 +1,6 @@
+{
+    "image-ref": "IMAGE_REF",
+    "image-tag": "latest",
+    "image-vendor": "bluebuild",
+    "fedora-version": "FEDORA_MAJOR_VERSION"
+}
--- a/modules/signing/policy.json
+++ b/modules/signing/policy.json
@ -0,0 +1,86 @@
+{
+    "default": [
+        {
+            "type": "reject"
+        }
+    ],
+    "transports": {
+        "docker": {
+            "registry.access.redhat.com": [
+                {
+                    "type": "signedBy",
+                    "keyType": "GPGKeys",
+                    "keyPath": "/etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release"
+                }
+            ],
+            "registry.redhat.io": [
+                {
+                    "type": "signedBy",
+                    "keyType": "GPGKeys",
+                    "keyPath": "/etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release"
+                }
+            ],
+           "": [
+                {
+                    "type": "insecureAcceptAnything"
+                }
+            ]
+        },
+        "docker-daemon": {
+            "": [
+                {
+                    "type": "insecureAcceptAnything"
+                }
+            ]
+        },
+        "atomic": {
+            "": [
+                {
+                    "type": "insecureAcceptAnything"
+                }
+            ]
+        },
+        "containers-storage": {
+            "": [
+                {
+                    "type": "insecureAcceptAnything"
+                }
+            ]
+        },
+        "dir": {
+            "": [
+                {
+                    "type": "insecureAcceptAnything"
+                }
+            ]
+        },
+        "oci": {
+            "": [
+                {
+                    "type": "insecureAcceptAnything"
+                }
+            ]
+        },
+        "oci-archive": {
+            "": [
+                {
+                    "type": "insecureAcceptAnything"
+                }
+            ]
+        },
+        "docker-archive": {
+            "": [
+                {
+                    "type": "insecureAcceptAnything"
+                }
+            ]
+        },
+        "tarball": {
+            "": [
+                {
+                    "type": "insecureAcceptAnything"
+                }
+            ]
+        }
+    }
+}
--- a/modules/signing/registry-config.yaml
+++ b/modules/signing/registry-config.yaml
@ -0,0 +1,3 @@
+docker:
+  ghcr.io/IMAGENAME:
+    use-sigstore-attachments: true
--- a/modules/signing/signing.sh
+++ b/modules/signing/signing.sh
@ -0,0 +1,56 @@
+#!/usr/bin/env bash
+
+# Tell build process to exit if there are any errors.
+set -oue pipefail
+
+CONTAINER_DIR="/usr/etc/containers"
+MODULE_DIRECTORY="${MODULE_DIRECTORY:-"/tmp/modules"}"
+
+echo "Setting up container signing in policy.json and cosign.yaml for $IMAGE_NAME"
+echo "Registry to write: $IMAGE_REGISTRY"
+
+if ! [ -d "$CONTAINER_DIR" ]; then
+    mkdir -p "$CONTAINER_DIR"
+fi
+
+if ! [ -d $CONTAINER_DIR/registries.d ]; then
+   mkdir -p "$CONTAINER_DIR/registries.d"
+fi
+
+if ! [ -d "/usr/etc/pki/containers" ]; then
+    mkdir -p "/usr/etc/pki/containers"
+fi
+
+if ! [ -f "$CONTAINER_DIR/policy.json" ]; then
+    cp "$MODULE_DIRECTORY/signing/policy.json" "$CONTAINER_DIR/policy.json"
+fi
+
+if ! [ -f "/usr/share/ublue-os/image-info.json" ]; then
+    cp "$MODULE_DIRECTORY/signing/image-info.json" "usr/share/ublue-os/image-info.json"
+fi
+
+
+mv "/usr/share/ublue-os/cosign.pub" "$CONTAINER_DIR/$IMAGE_NAME".pub
+
+POLICY_FILE="$CONTAINER_DIR/policy.json"
+IMAGE_INFO="/usr/share/ublue-os/image-info.json"
+
+yq -i -o=j '.transports.docker |=
+    {"'"$IMAGE_REGISTRY"'/'"$IMAGE_NAME"'": [
+            {
+                "type": "sigstoreSigned",
+                "keyPath": "/usr/etc/pki/containers/'"$IMAGE_NAME"'.pub",
+                "signedIdentity": {
+                    "type": "matchRepository"
+                }
+            }
+        ]
+    }
+ .' "$POLICY_FILE"
+
+IMAGE_REF="ostree-image-signed:docker://$IMAGE_REGISTRY/$IMAGE_NAME"
+# Sets image-info.json used by ublue-update for auto-rebase workaround. Used by both bazzite and bluefin
+yq -i -o=j '.image-ref="'"$IMAGE_REF"'" | .fedora-version="'"$OS_VERSION"'"' "$IMAGE_INFO"
+
+mv "$MODULE_DIRECTORY/signing/registry-config.yaml" "$CONTAINER_DIR/registries.d/$IMAGE_NAME.yaml"
+sed -i "s ghcr.io/IMAGENAME $IMAGE_REGISTRY g" "$CONTAINER_DIR/registries.d/$IMAGE_NAME.yaml"