diff --git a/modules/hydro-os-signing/hydro-os-signing.sh b/modules/hydro-os-signing/hydro-os-signing.sh deleted file mode 100644 index 2298f2e..0000000 --- a/modules/hydro-os-signing/hydro-os-signing.sh +++ /dev/null @@ -1,72 +0,0 @@ -#!/usr/bin/env bash - -# derived from wayblue repository, modified to work with hydro-os - -# Tell build process to exit if there are any errors. -set -euo pipefail - -CONTAINER_DIR="/usr/etc/containers" -ETC_CONTAINER_DIR="/etc/containers" -MODULE_DIRECTORY="${MODULE_DIRECTORY:-"/tmp/modules"}" -IMAGE_NAME_FILE="${IMAGE_NAME//\//_}" -IMAGE_REGISTRY_TITLE=$(echo "$IMAGE_REGISTRY" | cut -d'/' -f2-) - -echo "Setting up container signing in policy.json and cosign.yaml for $IMAGE_NAME" -echo "Registry to write: $IMAGE_REGISTRY" - -if ! [ -d "$CONTAINER_DIR" ]; then - mkdir -p "$CONTAINER_DIR" -fi - -if ! [ -d "$ETC_CONTAINER_DIR" ]; then - mkdir -p "$ETC_CONTAINER_DIR" -fi - -if ! [ -d $CONTAINER_DIR/registries.d ]; then - mkdir -p "$CONTAINER_DIR/registries.d" -fi - -if ! [ -d $ETC_CONTAINER_DIR/registries.d ]; then - mkdir -p "$ETC_CONTAINER_DIR/registries.d" -fi - -if ! [ -d "/usr/etc/pki/containers" ]; then - mkdir -p "/usr/etc/pki/containers" -fi - -if ! [ -d "/etc/pki/containers" ]; then - mkdir -p "/etc/pki/containers" -fi - -cp "$MODULE_DIRECTORY/hydro-os-signing/policy.json" $CONTAINER_DIR/policy.json -cp "$MODULE_DIRECTORY/hydro-os-signing/policy.json" $ETC_CONTAINER_DIR/policy.json - -# covering our bases here since /usr/etc is technically unsupported, reevaluate once bootc is the primary deployment tool -cp "/etc/pki/containers/$IMAGE_NAME.pub" "/usr/etc/pki/containers/$IMAGE_REGISTRY_TITLE.pub" -cp "/etc/pki/containers/$IMAGE_NAME.pub" "/etc/pki/containers/$IMAGE_REGISTRY_TITLE.pub" -rm "/etc/pki/containers/$IMAGE_NAME.pub" - -POLICY_FILE="$CONTAINER_DIR/policy.json" - -jq --arg image_registry "${IMAGE_REGISTRY}" \ - --arg image_registry_title "${IMAGE_REGISTRY_TITLE}" \ - '.transports.docker |= - { $image_registry: [ - { - "type": "sigstoreSigned", - "keyPath": ("/usr/etc/pki/containers/" + $image_registry_title + ".pub"), - "signedIdentity": { - "type": "matchRepository" - } - } - ] } + .' "${POLICY_FILE}" > POLICY.tmp - -# covering our bases here since /usr/etc is technically unsupported, reevaluate once bootc is the primary deployment tool -cp POLICY.tmp /usr/etc/containers/policy.json -cp POLICY.tmp /etc/containers/policy.json -rm POLICY.tmp - -sed -i "s git.hydrosaber.com/IMAGENAME $IMAGE_REGISTRY g" "$MODULE_DIRECTORY/hydro-os-signing/registry-config.yaml" -cp "$MODULE_DIRECTORY/hydro-os-signing/registry-config.yaml" "$CONTAINER_DIR/registries.d/$IMAGE_REGISTRY_TITLE.yaml" -cp "$MODULE_DIRECTORY/hydro-os-signing/registry-config.yaml" "$ETC_CONTAINER_DIR/registries.d/$IMAGE_REGISTRY_TITLE.yaml" -rm "$MODULE_DIRECTORY/hydro-os-signing/registry-config.yaml" \ No newline at end of file diff --git a/modules/hydro-os-signing/module.yml b/modules/hydro-os-signing/module.yml deleted file mode 100644 index 1b92804..0000000 --- a/modules/hydro-os-signing/module.yml +++ /dev/null @@ -1,4 +0,0 @@ -name: hydro-os-signing -shortdesc: The signing module is used to install the required signing policies for cosign image verification with rpm-ostree and bootc. Taken from wayblue. -example: | - type: hydro-os-signing # This sets up the proper policy and signing files for signed images to work fully \ No newline at end of file diff --git a/modules/hydro-os-signing/policy.json b/modules/hydro-os-signing/policy.json deleted file mode 100644 index 21473af..0000000 --- a/modules/hydro-os-signing/policy.json +++ /dev/null @@ -1,104 +0,0 @@ -{ - "default": [ - { - "type": "reject" - } - ], - "transports": { - "docker": { - "registry.access.redhat.com": [ - { - "type": "signedBy", - "keyType": "GPGKeys", - "keyPath": "/usr/etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release" - } - ], - "registry.redhat.io": [ - { - "type": "signedBy", - "keyType": "GPGKeys", - "keyPath": "/usr/etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release" - } - ], - "quay.io/toolbx-images": [ - { - "type": "sigstoreSigned", - "keyPath": "/usr/etc/pki/containers/quay.io-toolbx-images.pub", - "signedIdentity": { - "type": "matchRepository" - } - } - ], - "ghcr.io/ublue-os": [ - { - "type": "sigstoreSigned", - "keyPath": "/usr/etc/pki/containers/ublue-os.pub", - "signedIdentity": { - "type": "matchRepository" - } - } - ], - "": [ - { - "type": "insecureAcceptAnything" - } - ] - }, - "docker-daemon": { - "": [ - { - "type": "insecureAcceptAnything" - } - ] - }, - "atomic": { - "": [ - { - "type": "insecureAcceptAnything" - } - ] - }, - "containers-storage": { - "": [ - { - "type": "insecureAcceptAnything" - } - ] - }, - "dir": { - "": [ - { - "type": "insecureAcceptAnything" - } - ] - }, - "oci": { - "": [ - { - "type": "insecureAcceptAnything" - } - ] - }, - "oci-archive": { - "": [ - { - "type": "insecureAcceptAnything" - } - ] - }, - "docker-archive": { - "": [ - { - "type": "insecureAcceptAnything" - } - ] - }, - "tarball": { - "": [ - { - "type": "insecureAcceptAnything" - } - ] - } - } -} \ No newline at end of file diff --git a/modules/hydro-os-signing/registry-config.yaml b/modules/hydro-os-signing/registry-config.yaml deleted file mode 100644 index 59215d7..0000000 --- a/modules/hydro-os-signing/registry-config.yaml +++ /dev/null @@ -1,3 +0,0 @@ -docker: - git.hydrosaber.com/IMAGENAME: - use-sigstore-attachments: true \ No newline at end of file diff --git a/recipes/recipe.yml b/recipes/recipe.yml index 8c529e0..2f3b144 100644 --- a/recipes/recipe.yml +++ b/recipes/recipe.yml @@ -24,6 +24,5 @@ modules: - from-file: components/default-flatpak.yml - from-file: components/chezmoi-module.yml - - type: hydro-os-signing - source: local + - type: signing diff --git a/recipes/recipe_nvidia.yml b/recipes/recipe_nvidia.yml index 5a6882d..6352ef1 100644 --- a/recipes/recipe_nvidia.yml +++ b/recipes/recipe_nvidia.yml @@ -26,6 +26,5 @@ modules: - from-file: components/chezmoi-module.yml - type: initramfs - - type: hydro-os-signing - source: local + - type: signing