eriq12/hydro-os
1
0
Fork 0
Code Issues Pull Requests 1 Actions Packages Projects Releases Wiki Activity

gitea-hydro-os-signing #13

Merged
eriq12 merged 2 commits from gitea-hydro-os-signing into main 2025-06-16 16:18:31 -04:00
Conversation 0 Commits 2 Files Changed 6 +187 -2
6 changed files with 187 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

72
modules/hydro-os-signing/hydro-os-signing.sh Normal file
View File

@@ -0,0 +1,72 @@
#!/usr/bin/env bash
# derived from wayblue repository, modified to work with hydro-os
# Tell build process to exit if there are any errors.
set -euo pipefail
CONTAINER_DIR="/usr/etc/containers"
ETC_CONTAINER_DIR="/etc/containers"
MODULE_DIRECTORY="${MODULE_DIRECTORY:-"/tmp/modules"}"
IMAGE_NAME_FILE="${IMAGE_NAME//\//_}"
IMAGE_REGISTRY_TITLE=$(echo "$IMAGE_REGISTRY" | cut -d'/' -f2-)
echo "Setting up container signing in policy.json and cosign.yaml for $IMAGE_NAME"
echo "Registry to write: $IMAGE_REGISTRY"
if ! [ -d "$CONTAINER_DIR" ]; then
mkdir -p "$CONTAINER_DIR"
fi
if ! [ -d "$ETC_CONTAINER_DIR" ]; then
mkdir -p "$ETC_CONTAINER_DIR"
fi
if ! [ -d $CONTAINER_DIR/registries.d ]; then
mkdir -p "$CONTAINER_DIR/registries.d"
fi
if ! [ -d $ETC_CONTAINER_DIR/registries.d ]; then
mkdir -p "$ETC_CONTAINER_DIR/registries.d"
fi
if ! [ -d "/usr/etc/pki/containers" ]; then
mkdir -p "/usr/etc/pki/containers"
fi
if ! [ -d "/etc/pki/containers" ]; then
mkdir -p "/etc/pki/containers"
fi
cp "$MODULE_DIRECTORY/hydro-os-signing/policy.json" $CONTAINER_DIR/policy.json
cp "$MODULE_DIRECTORY/hydro-os-signing/policy.json" $ETC_CONTAINER_DIR/policy.json
# covering our bases here since /usr/etc is technically unsupported, reevaluate once bootc is the primary deployment tool
cp "/etc/pki/containers/$IMAGE_NAME.pub" "/usr/etc/pki/containers/$IMAGE_REGISTRY_TITLE.pub"
cp "/etc/pki/containers/$IMAGE_NAME.pub" "/etc/pki/containers/$IMAGE_REGISTRY_TITLE.pub"
rm "/etc/pki/containers/$IMAGE_NAME.pub"
POLICY_FILE="$CONTAINER_DIR/policy.json"
jq --arg image_registry "${IMAGE_REGISTRY}" \
--arg image_registry_title "${IMAGE_REGISTRY_TITLE}" \
'.transports.docker |=
{ $image_registry: [
{
"type": "sigstoreSigned",
"keyPath": ("/usr/etc/pki/containers/" + $image_registry_title + ".pub"),
"signedIdentity": {
"type": "matchRepository"
}
}
] } + .' "${POLICY_FILE}" > POLICY.tmp
# covering our bases here since /usr/etc is technically unsupported, reevaluate once bootc is the primary deployment tool
cp POLICY.tmp /usr/etc/containers/policy.json
cp POLICY.tmp /etc/containers/policy.json
rm POLICY.tmp
sed -i "s git.hydrosaber.com/IMAGENAME $IMAGE_REGISTRY g" "$MODULE_DIRECTORY/hydro-os-signing/registry-config.yaml"
cp "$MODULE_DIRECTORY/hydro-os-signing/registry-config.yaml" "$CONTAINER_DIR/registries.d/$IMAGE_REGISTRY_TITLE.yaml"
cp "$MODULE_DIRECTORY/hydro-os-signing/registry-config.yaml" "$ETC_CONTAINER_DIR/registries.d/$IMAGE_REGISTRY_TITLE.yaml"
rm "$MODULE_DIRECTORY/hydro-os-signing/registry-config.yaml"

4
modules/hydro-os-signing/module.yml Normal file
View File

@@ -0,0 +1,4 @@
name: hydro-os-signing
shortdesc: The signing module is used to install the required signing policies for cosign image verification with rpm-ostree and bootc. Taken from wayblue.
example: |
type: hydro-os-signing # This sets up the proper policy and signing files for signed images to work fully

104
modules/hydro-os-signing/policy.json Normal file
View File

@@ -0,0 +1,104 @@
{
"default": [
{
"type": "reject"
}
],
"transports": {
"docker": {
"registry.access.redhat.com": [
{
"type": "signedBy",
"keyType": "GPGKeys",
"keyPath": "/usr/etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release"
}
],
"registry.redhat.io": [
{
"type": "signedBy",
"keyType": "GPGKeys",
"keyPath": "/usr/etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release"
}
],
"quay.io/toolbx-images": [
{
"type": "sigstoreSigned",
"keyPath": "/usr/etc/pki/containers/quay.io-toolbx-images.pub",
"signedIdentity": {
"type": "matchRepository"
}
}
],
"ghcr.io/ublue-os": [
{
"type": "sigstoreSigned",
"keyPath": "/usr/etc/pki/containers/ublue-os.pub",
"signedIdentity": {
"type": "matchRepository"
}
}
],
"": [
{
"type": "insecureAcceptAnything"
}
]
},
"docker-daemon": {
"": [
{
"type": "insecureAcceptAnything"
}
]
},
"atomic": {
"": [
{
"type": "insecureAcceptAnything"
}
]
},
"containers-storage": {
"": [
{
"type": "insecureAcceptAnything"
}
]
},
"dir": {
"": [
{
"type": "insecureAcceptAnything"
}
]
},
"oci": {
"": [
{
"type": "insecureAcceptAnything"
}
]
},
"oci-archive": {
"": [
{
"type": "insecureAcceptAnything"
}
]
},
"docker-archive": {
"": [
{
"type": "insecureAcceptAnything"
}
]
},
"tarball": {
"": [
{
"type": "insecureAcceptAnything"
}
]
}
}
}

3
modules/hydro-os-signing/registry-config.yaml Normal file
View File

@@ -0,0 +1,3 @@
docker:
git.hydrosaber.com/IMAGENAME:
use-sigstore-attachments: true

3
recipes/recipe.yml
View File

@@ -24,5 +24,6 @@ modules:
- from-file: components/default-flatpak.yml
- from-file: components/chezmoi-module.yml
- type: signing # this sets up the proper policy & signing files for signed images to work fully
- type: hydro-os-signing
source: local

3
recipes/recipe_nvidia.yml
View File

@@ -26,5 +26,6 @@ modules:
- from-file: components/chezmoi-module.yml
- type: initramfs
- type: signing # this sets up the proper policy & signing files for signed images to work fully
- type: hydro-os-signing
source: local