From c168988e13e089b3603d9b668a3f9e6f909259bc Mon Sep 17 00:00:00 2001 From: Eriq Taing Date: Mon, 16 Jun 2025 15:42:38 -0400 Subject: [PATCH 1/2] Created module hydro-os-signing --- modules/hydro-os-signing/hydro-os-signing.sh | 72 ++++++++++++ modules/hydro-os-signing/module.yml | 4 + modules/hydro-os-signing/policy.json | 104 ++++++++++++++++++ modules/hydro-os-signing/registry-config.yaml | 3 + 4 files changed, 183 insertions(+) create mode 100644 modules/hydro-os-signing/hydro-os-signing.sh create mode 100644 modules/hydro-os-signing/module.yml create mode 100644 modules/hydro-os-signing/policy.json create mode 100644 modules/hydro-os-signing/registry-config.yaml diff --git a/modules/hydro-os-signing/hydro-os-signing.sh b/modules/hydro-os-signing/hydro-os-signing.sh new file mode 100644 index 0000000..2298f2e --- /dev/null +++ b/modules/hydro-os-signing/hydro-os-signing.sh @@ -0,0 +1,72 @@ +#!/usr/bin/env bash + +# derived from wayblue repository, modified to work with hydro-os + +# Tell build process to exit if there are any errors. +set -euo pipefail + +CONTAINER_DIR="/usr/etc/containers" +ETC_CONTAINER_DIR="/etc/containers" +MODULE_DIRECTORY="${MODULE_DIRECTORY:-"/tmp/modules"}" +IMAGE_NAME_FILE="${IMAGE_NAME//\//_}" +IMAGE_REGISTRY_TITLE=$(echo "$IMAGE_REGISTRY" | cut -d'/' -f2-) + +echo "Setting up container signing in policy.json and cosign.yaml for $IMAGE_NAME" +echo "Registry to write: $IMAGE_REGISTRY" + +if ! [ -d "$CONTAINER_DIR" ]; then + mkdir -p "$CONTAINER_DIR" +fi + +if ! [ -d "$ETC_CONTAINER_DIR" ]; then + mkdir -p "$ETC_CONTAINER_DIR" +fi + +if ! [ -d $CONTAINER_DIR/registries.d ]; then + mkdir -p "$CONTAINER_DIR/registries.d" +fi + +if ! [ -d $ETC_CONTAINER_DIR/registries.d ]; then + mkdir -p "$ETC_CONTAINER_DIR/registries.d" +fi + +if ! [ -d "/usr/etc/pki/containers" ]; then + mkdir -p "/usr/etc/pki/containers" +fi + +if ! [ -d "/etc/pki/containers" ]; then + mkdir -p "/etc/pki/containers" +fi + +cp "$MODULE_DIRECTORY/hydro-os-signing/policy.json" $CONTAINER_DIR/policy.json +cp "$MODULE_DIRECTORY/hydro-os-signing/policy.json" $ETC_CONTAINER_DIR/policy.json + +# covering our bases here since /usr/etc is technically unsupported, reevaluate once bootc is the primary deployment tool +cp "/etc/pki/containers/$IMAGE_NAME.pub" "/usr/etc/pki/containers/$IMAGE_REGISTRY_TITLE.pub" +cp "/etc/pki/containers/$IMAGE_NAME.pub" "/etc/pki/containers/$IMAGE_REGISTRY_TITLE.pub" +rm "/etc/pki/containers/$IMAGE_NAME.pub" + +POLICY_FILE="$CONTAINER_DIR/policy.json" + +jq --arg image_registry "${IMAGE_REGISTRY}" \ + --arg image_registry_title "${IMAGE_REGISTRY_TITLE}" \ + '.transports.docker |= + { $image_registry: [ + { + "type": "sigstoreSigned", + "keyPath": ("/usr/etc/pki/containers/" + $image_registry_title + ".pub"), + "signedIdentity": { + "type": "matchRepository" + } + } + ] } + .' "${POLICY_FILE}" > POLICY.tmp + +# covering our bases here since /usr/etc is technically unsupported, reevaluate once bootc is the primary deployment tool +cp POLICY.tmp /usr/etc/containers/policy.json +cp POLICY.tmp /etc/containers/policy.json +rm POLICY.tmp + +sed -i "s git.hydrosaber.com/IMAGENAME $IMAGE_REGISTRY g" "$MODULE_DIRECTORY/hydro-os-signing/registry-config.yaml" +cp "$MODULE_DIRECTORY/hydro-os-signing/registry-config.yaml" "$CONTAINER_DIR/registries.d/$IMAGE_REGISTRY_TITLE.yaml" +cp "$MODULE_DIRECTORY/hydro-os-signing/registry-config.yaml" "$ETC_CONTAINER_DIR/registries.d/$IMAGE_REGISTRY_TITLE.yaml" +rm "$MODULE_DIRECTORY/hydro-os-signing/registry-config.yaml" \ No newline at end of file diff --git a/modules/hydro-os-signing/module.yml b/modules/hydro-os-signing/module.yml new file mode 100644 index 0000000..1b92804 --- /dev/null +++ b/modules/hydro-os-signing/module.yml @@ -0,0 +1,4 @@ +name: hydro-os-signing +shortdesc: The signing module is used to install the required signing policies for cosign image verification with rpm-ostree and bootc. Taken from wayblue. +example: | + type: hydro-os-signing # This sets up the proper policy and signing files for signed images to work fully \ No newline at end of file diff --git a/modules/hydro-os-signing/policy.json b/modules/hydro-os-signing/policy.json new file mode 100644 index 0000000..21473af --- /dev/null +++ b/modules/hydro-os-signing/policy.json @@ -0,0 +1,104 @@ +{ + "default": [ + { + "type": "reject" + } + ], + "transports": { + "docker": { + "registry.access.redhat.com": [ + { + "type": "signedBy", + "keyType": "GPGKeys", + "keyPath": "/usr/etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release" + } + ], + "registry.redhat.io": [ + { + "type": "signedBy", + "keyType": "GPGKeys", + "keyPath": "/usr/etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release" + } + ], + "quay.io/toolbx-images": [ + { + "type": "sigstoreSigned", + "keyPath": "/usr/etc/pki/containers/quay.io-toolbx-images.pub", + "signedIdentity": { + "type": "matchRepository" + } + } + ], + "ghcr.io/ublue-os": [ + { + "type": "sigstoreSigned", + "keyPath": "/usr/etc/pki/containers/ublue-os.pub", + "signedIdentity": { + "type": "matchRepository" + } + } + ], + "": [ + { + "type": "insecureAcceptAnything" + } + ] + }, + "docker-daemon": { + "": [ + { + "type": "insecureAcceptAnything" + } + ] + }, + "atomic": { + "": [ + { + "type": "insecureAcceptAnything" + } + ] + }, + "containers-storage": { + "": [ + { + "type": "insecureAcceptAnything" + } + ] + }, + "dir": { + "": [ + { + "type": "insecureAcceptAnything" + } + ] + }, + "oci": { + "": [ + { + "type": "insecureAcceptAnything" + } + ] + }, + "oci-archive": { + "": [ + { + "type": "insecureAcceptAnything" + } + ] + }, + "docker-archive": { + "": [ + { + "type": "insecureAcceptAnything" + } + ] + }, + "tarball": { + "": [ + { + "type": "insecureAcceptAnything" + } + ] + } + } +} \ No newline at end of file diff --git a/modules/hydro-os-signing/registry-config.yaml b/modules/hydro-os-signing/registry-config.yaml new file mode 100644 index 0000000..59215d7 --- /dev/null +++ b/modules/hydro-os-signing/registry-config.yaml @@ -0,0 +1,3 @@ +docker: + git.hydrosaber.com/IMAGENAME: + use-sigstore-attachments: true \ No newline at end of file -- 2.39.5 From f76c13d1035f552007120a30c4ccaf3d1d78cf19 Mon Sep 17 00:00:00 2001 From: Eriq Taing Date: Mon, 16 Jun 2025 15:53:22 -0400 Subject: [PATCH 2/2] Use hydro-os signing module --- recipes/recipe.yml | 3 ++- recipes/recipe_nvidia.yml | 3 ++- 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/recipes/recipe.yml b/recipes/recipe.yml index c84974e..bb39b8f 100644 --- a/recipes/recipe.yml +++ b/recipes/recipe.yml @@ -24,5 +24,6 @@ modules: - from-file: components/default-flatpak.yml - from-file: components/chezmoi-module.yml - - type: signing # this sets up the proper policy & signing files for signed images to work fully + - type: hydro-os-signing + source: local diff --git a/recipes/recipe_nvidia.yml b/recipes/recipe_nvidia.yml index 6373f64..eeecf16 100644 --- a/recipes/recipe_nvidia.yml +++ b/recipes/recipe_nvidia.yml @@ -26,5 +26,6 @@ modules: - from-file: components/chezmoi-module.yml - type: initramfs - - type: signing # this sets up the proper policy & signing files for signed images to work fully + - type: hydro-os-signing + source: local -- 2.39.5