2025-06-16 16:18:31 -04:00
6 changed files with 187 additions and 2 deletions
--- a/modules/hydro-os-signing/hydro-os-signing.sh
+++ b/modules/hydro-os-signing/hydro-os-signing.sh
@@ -0,0 +1,72 @@
 #!/usr/bin/env bash
 # derived from wayblue repository, modified to work with hydro-os
 # Tell build process to exit if there are any errors.
 set -euo pipefail
 CONTAINER_DIR="/usr/etc/containers"
 ETC_CONTAINER_DIR="/etc/containers"
 MODULE_DIRECTORY="${MODULE_DIRECTORY:-"/tmp/modules"}"
 IMAGE_NAME_FILE="${IMAGE_NAME//\//_}"
 IMAGE_REGISTRY_TITLE=$(echo "$IMAGE_REGISTRY" | cut -d'/' -f2-)
 echo "Setting up container signing in policy.json and cosign.yaml for $IMAGE_NAME"
 echo "Registry to write: $IMAGE_REGISTRY"
 if ! [ -d "$CONTAINER_DIR" ]; then
    mkdir -p "$CONTAINER_DIR"
 fi
 if ! [ -d "$ETC_CONTAINER_DIR" ]; then
    mkdir -p "$ETC_CONTAINER_DIR"
 fi
 if ! [ -d $CONTAINER_DIR/registries.d ]; then
   mkdir -p "$CONTAINER_DIR/registries.d"
 fi
 if ! [ -d $ETC_CONTAINER_DIR/registries.d ]; then
   mkdir -p "$ETC_CONTAINER_DIR/registries.d"
 fi
 if ! [ -d "/usr/etc/pki/containers" ]; then
    mkdir -p "/usr/etc/pki/containers"
 fi
 if ! [ -d "/etc/pki/containers" ]; then
    mkdir -p "/etc/pki/containers"
 fi
 cp "$MODULE_DIRECTORY/hydro-os-signing/policy.json" $CONTAINER_DIR/policy.json
 cp "$MODULE_DIRECTORY/hydro-os-signing/policy.json" $ETC_CONTAINER_DIR/policy.json
 # covering our bases here since /usr/etc is technically unsupported, reevaluate once bootc is the primary deployment tool
 cp "/etc/pki/containers/$IMAGE_NAME.pub" "/usr/etc/pki/containers/$IMAGE_REGISTRY_TITLE.pub"
 cp "/etc/pki/containers/$IMAGE_NAME.pub" "/etc/pki/containers/$IMAGE_REGISTRY_TITLE.pub"
 rm "/etc/pki/containers/$IMAGE_NAME.pub"
 POLICY_FILE="$CONTAINER_DIR/policy.json"
 jq --arg image_registry "${IMAGE_REGISTRY}" \
   --arg image_registry_title "${IMAGE_REGISTRY_TITLE}" \
   '.transports.docker |= 
    { $image_registry: [
        {
            "type": "sigstoreSigned",
            "keyPath": ("/usr/etc/pki/containers/" + $image_registry_title + ".pub"),
            "signedIdentity": {
                "type": "matchRepository"
            }
        }
    ] } + .' "${POLICY_FILE}" > POLICY.tmp
 # covering our bases here since /usr/etc is technically unsupported, reevaluate once bootc is the primary deployment tool
 cp POLICY.tmp /usr/etc/containers/policy.json
 cp POLICY.tmp /etc/containers/policy.json
 rm POLICY.tmp
 sed -i "s git.hydrosaber.com/IMAGENAME $IMAGE_REGISTRY g" "$MODULE_DIRECTORY/hydro-os-signing/registry-config.yaml"
 cp "$MODULE_DIRECTORY/hydro-os-signing/registry-config.yaml" "$CONTAINER_DIR/registries.d/$IMAGE_REGISTRY_TITLE.yaml"
 cp "$MODULE_DIRECTORY/hydro-os-signing/registry-config.yaml" "$ETC_CONTAINER_DIR/registries.d/$IMAGE_REGISTRY_TITLE.yaml"
 rm "$MODULE_DIRECTORY/hydro-os-signing/registry-config.yaml"
--- a/modules/hydro-os-signing/module.yml
+++ b/modules/hydro-os-signing/module.yml
@@ -0,0 +1,4 @@
 name: hydro-os-signing
 shortdesc: The signing module is used to install the required signing policies for cosign image verification with rpm-ostree and bootc. Taken from wayblue.
 example: |
  type: hydro-os-signing # This sets up the proper policy and signing files for signed images to work fully
--- a/modules/hydro-os-signing/policy.json
+++ b/modules/hydro-os-signing/policy.json
@@ -0,0 +1,104 @@
 {
    "default": [
        {
            "type": "reject"
        }
    ],
    "transports": {
        "docker": {
            "registry.access.redhat.com": [
                {
                    "type": "signedBy",
                    "keyType": "GPGKeys",
                    "keyPath": "/usr/etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release"
                }
            ],
            "registry.redhat.io": [
                {
                    "type": "signedBy",
                    "keyType": "GPGKeys",
                    "keyPath": "/usr/etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release"
                }
            ],
            "quay.io/toolbx-images": [
                {
                    "type": "sigstoreSigned",
                    "keyPath": "/usr/etc/pki/containers/quay.io-toolbx-images.pub",
                    "signedIdentity": {
                        "type": "matchRepository"
                    }
                }
            ],
            "ghcr.io/ublue-os": [
                {
                    "type": "sigstoreSigned",
                    "keyPath": "/usr/etc/pki/containers/ublue-os.pub",
                    "signedIdentity": {
                        "type": "matchRepository"
                    }
                }
            ],
            "": [
                {
                    "type": "insecureAcceptAnything"
                }
            ]
        },
        "docker-daemon": {
            "": [
                {
                    "type": "insecureAcceptAnything"
                }
            ]
        },
        "atomic": {
            "": [
                {
                    "type": "insecureAcceptAnything"
                }
            ]
        },
        "containers-storage": {
            "": [
                {
                    "type": "insecureAcceptAnything"
                }
            ]
        },
        "dir": {
            "": [
                {
                    "type": "insecureAcceptAnything"
                }
            ]
        },
        "oci": {
            "": [
                {
                    "type": "insecureAcceptAnything"
                }
            ]
        },
        "oci-archive": {
            "": [
                {
                    "type": "insecureAcceptAnything"
                }
            ]
        },
        "docker-archive": {
            "": [
                {
                    "type": "insecureAcceptAnything"
                }
            ]
        },
        "tarball": {
            "": [
                {
                    "type": "insecureAcceptAnything"
                }
            ]
        }
    }
 }
--- a/modules/hydro-os-signing/registry-config.yaml
+++ b/modules/hydro-os-signing/registry-config.yaml
@@ -0,0 +1,3 @@
 docker:
  git.hydrosaber.com/IMAGENAME:
    use-sigstore-attachments: true
--- a/recipes/recipe.yml
+++ b/recipes/recipe.yml
@@ -24,5 +24,6 @@ modules:
  - from-file: components/default-flatpak.yml
  - from-file: components/chezmoi-module.yml
-  - type: signing # this sets up the proper policy & signing files for signed images to work fully
+  - type: hydro-os-signing
    source: local
--- a/recipes/recipe_nvidia.yml
+++ b/recipes/recipe_nvidia.yml
@@ -26,5 +26,6 @@ modules:
  - from-file: components/chezmoi-module.yml
  - type: initramfs
-  - type: signing # this sets up the proper policy & signing files for signed images to work fully
+  - type: hydro-os-signing
    source: local