particle-os/particle-os-modules
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

fix(signing): Don't copy ublue-os key if image key exists (#174)

Browse source
This commit is contained in:
fiftydinar 2024-03-23 11:19:51 +01:00 committed by GitHub
commit 9fbffaea27
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
1 changed files with 7 additions and 4 deletions
Download patch file Download diff file Expand all files Collapse all files

11
modules/signing/signing.sh
View file

@ -5,6 +5,7 @@ set -euo pipefail
CONTAINER_DIR="/usr/etc/containers"
MODULE_DIRECTORY="${MODULE_DIRECTORY:-"/tmp/modules"}"
IMAGE_NAME_FILE="${IMAGE_NAME//\//_}"
echo "Setting up container signing in policy.json and cosign.yaml for $IMAGE_NAME"
echo "Registry to write: $IMAGE_REGISTRY"
@ -25,7 +26,9 @@ if ! [ -f "$CONTAINER_DIR/policy.json" ]; then
cp "$MODULE_DIRECTORY/signing/policy.json" "$CONTAINER_DIR/policy.json"
fi
cp "/usr/share/ublue-os/cosign.pub" "/usr/etc/pki/containers/$IMAGE_NAME.pub"
if ! [ -f "/usr/etc/pki/containers/$IMAGE_NAME_FILE.pub" ]; then
cp "/usr/share/ublue-os/cosign.pub" "/usr/etc/pki/containers/$IMAGE_NAME_FILE.pub"
fi
POLICY_FILE="$CONTAINER_DIR/policy.json"
@ -33,7 +36,7 @@ yq -i -o=j '.transports.docker |=
{"'"$IMAGE_REGISTRY"'/'"$IMAGE_NAME"'": [
{
"type": "sigstoreSigned",
"keyPath": "/usr/etc/pki/containers/'"$IMAGE_NAME"'.pub",
"keyPath": "/usr/etc/pki/containers/'"$IMAGE_NAME_FILE"'.pub",
"signedIdentity": {
"type": "matchRepository"
}
@ -42,5 +45,5 @@ yq -i -o=j '.transports.docker |=
}
+ .' "$POLICY_FILE"
mv "$MODULE_DIRECTORY/signing/registry-config.yaml" "$CONTAINER_DIR/registries.d/$IMAGE_NAME.yaml"
sed -i "s ghcr.io/IMAGENAME $IMAGE_REGISTRY g" "$CONTAINER_DIR/registries.d/$IMAGE_NAME.yaml"
mv "$MODULE_DIRECTORY/signing/registry-config.yaml" "$CONTAINER_DIR/registries.d/$IMAGE_NAME_FILE.yaml"
sed -i "s ghcr.io/IMAGENAME $IMAGE_REGISTRY g" "$CONTAINER_DIR/registries.d/$IMAGE_NAME_FILE.yaml"