chunking-signing-daily #17
@@ -1,72 +0,0 @@
|
|||||||
#!/usr/bin/env bash
|
|
||||||
|
|
||||||
# derived from wayblue repository, modified to work with hydro-os
|
|
||||||
|
|
||||||
# Tell build process to exit if there are any errors.
|
|
||||||
set -euo pipefail
|
|
||||||
|
|
||||||
CONTAINER_DIR="/usr/etc/containers"
|
|
||||||
ETC_CONTAINER_DIR="/etc/containers"
|
|
||||||
MODULE_DIRECTORY="${MODULE_DIRECTORY:-"/tmp/modules"}"
|
|
||||||
IMAGE_NAME_FILE="${IMAGE_NAME//\//_}"
|
|
||||||
IMAGE_REGISTRY_TITLE=$(echo "$IMAGE_REGISTRY" | cut -d'/' -f2-)
|
|
||||||
|
|
||||||
echo "Setting up container signing in policy.json and cosign.yaml for $IMAGE_NAME"
|
|
||||||
echo "Registry to write: $IMAGE_REGISTRY"
|
|
||||||
|
|
||||||
if ! [ -d "$CONTAINER_DIR" ]; then
|
|
||||||
mkdir -p "$CONTAINER_DIR"
|
|
||||||
fi
|
|
||||||
|
|
||||||
if ! [ -d "$ETC_CONTAINER_DIR" ]; then
|
|
||||||
mkdir -p "$ETC_CONTAINER_DIR"
|
|
||||||
fi
|
|
||||||
|
|
||||||
if ! [ -d $CONTAINER_DIR/registries.d ]; then
|
|
||||||
mkdir -p "$CONTAINER_DIR/registries.d"
|
|
||||||
fi
|
|
||||||
|
|
||||||
if ! [ -d $ETC_CONTAINER_DIR/registries.d ]; then
|
|
||||||
mkdir -p "$ETC_CONTAINER_DIR/registries.d"
|
|
||||||
fi
|
|
||||||
|
|
||||||
if ! [ -d "/usr/etc/pki/containers" ]; then
|
|
||||||
mkdir -p "/usr/etc/pki/containers"
|
|
||||||
fi
|
|
||||||
|
|
||||||
if ! [ -d "/etc/pki/containers" ]; then
|
|
||||||
mkdir -p "/etc/pki/containers"
|
|
||||||
fi
|
|
||||||
|
|
||||||
cp "$MODULE_DIRECTORY/hydro-os-signing/policy.json" $CONTAINER_DIR/policy.json
|
|
||||||
cp "$MODULE_DIRECTORY/hydro-os-signing/policy.json" $ETC_CONTAINER_DIR/policy.json
|
|
||||||
|
|
||||||
# covering our bases here since /usr/etc is technically unsupported, reevaluate once bootc is the primary deployment tool
|
|
||||||
cp "/etc/pki/containers/$IMAGE_NAME.pub" "/usr/etc/pki/containers/$IMAGE_REGISTRY_TITLE.pub"
|
|
||||||
cp "/etc/pki/containers/$IMAGE_NAME.pub" "/etc/pki/containers/$IMAGE_REGISTRY_TITLE.pub"
|
|
||||||
rm "/etc/pki/containers/$IMAGE_NAME.pub"
|
|
||||||
|
|
||||||
POLICY_FILE="$CONTAINER_DIR/policy.json"
|
|
||||||
|
|
||||||
jq --arg image_registry "${IMAGE_REGISTRY}" \
|
|
||||||
--arg image_registry_title "${IMAGE_REGISTRY_TITLE}" \
|
|
||||||
'.transports.docker |=
|
|
||||||
{ $image_registry: [
|
|
||||||
{
|
|
||||||
"type": "sigstoreSigned",
|
|
||||||
"keyPath": ("/usr/etc/pki/containers/" + $image_registry_title + ".pub"),
|
|
||||||
"signedIdentity": {
|
|
||||||
"type": "matchRepository"
|
|
||||||
}
|
|
||||||
}
|
|
||||||
] } + .' "${POLICY_FILE}" > POLICY.tmp
|
|
||||||
|
|
||||||
# covering our bases here since /usr/etc is technically unsupported, reevaluate once bootc is the primary deployment tool
|
|
||||||
cp POLICY.tmp /usr/etc/containers/policy.json
|
|
||||||
cp POLICY.tmp /etc/containers/policy.json
|
|
||||||
rm POLICY.tmp
|
|
||||||
|
|
||||||
sed -i "s git.hydrosaber.com/IMAGENAME $IMAGE_REGISTRY g" "$MODULE_DIRECTORY/hydro-os-signing/registry-config.yaml"
|
|
||||||
cp "$MODULE_DIRECTORY/hydro-os-signing/registry-config.yaml" "$CONTAINER_DIR/registries.d/$IMAGE_REGISTRY_TITLE.yaml"
|
|
||||||
cp "$MODULE_DIRECTORY/hydro-os-signing/registry-config.yaml" "$ETC_CONTAINER_DIR/registries.d/$IMAGE_REGISTRY_TITLE.yaml"
|
|
||||||
rm "$MODULE_DIRECTORY/hydro-os-signing/registry-config.yaml"
|
|
||||||
@@ -1,4 +0,0 @@
|
|||||||
name: hydro-os-signing
|
|
||||||
shortdesc: The signing module is used to install the required signing policies for cosign image verification with rpm-ostree and bootc. Taken from wayblue.
|
|
||||||
example: |
|
|
||||||
type: hydro-os-signing # This sets up the proper policy and signing files for signed images to work fully
|
|
||||||
@@ -1,104 +0,0 @@
|
|||||||
{
|
|
||||||
"default": [
|
|
||||||
{
|
|
||||||
"type": "reject"
|
|
||||||
}
|
|
||||||
],
|
|
||||||
"transports": {
|
|
||||||
"docker": {
|
|
||||||
"registry.access.redhat.com": [
|
|
||||||
{
|
|
||||||
"type": "signedBy",
|
|
||||||
"keyType": "GPGKeys",
|
|
||||||
"keyPath": "/usr/etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release"
|
|
||||||
}
|
|
||||||
],
|
|
||||||
"registry.redhat.io": [
|
|
||||||
{
|
|
||||||
"type": "signedBy",
|
|
||||||
"keyType": "GPGKeys",
|
|
||||||
"keyPath": "/usr/etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release"
|
|
||||||
}
|
|
||||||
],
|
|
||||||
"quay.io/toolbx-images": [
|
|
||||||
{
|
|
||||||
"type": "sigstoreSigned",
|
|
||||||
"keyPath": "/usr/etc/pki/containers/quay.io-toolbx-images.pub",
|
|
||||||
"signedIdentity": {
|
|
||||||
"type": "matchRepository"
|
|
||||||
}
|
|
||||||
}
|
|
||||||
],
|
|
||||||
"ghcr.io/ublue-os": [
|
|
||||||
{
|
|
||||||
"type": "sigstoreSigned",
|
|
||||||
"keyPath": "/usr/etc/pki/containers/ublue-os.pub",
|
|
||||||
"signedIdentity": {
|
|
||||||
"type": "matchRepository"
|
|
||||||
}
|
|
||||||
}
|
|
||||||
],
|
|
||||||
"": [
|
|
||||||
{
|
|
||||||
"type": "insecureAcceptAnything"
|
|
||||||
}
|
|
||||||
]
|
|
||||||
},
|
|
||||||
"docker-daemon": {
|
|
||||||
"": [
|
|
||||||
{
|
|
||||||
"type": "insecureAcceptAnything"
|
|
||||||
}
|
|
||||||
]
|
|
||||||
},
|
|
||||||
"atomic": {
|
|
||||||
"": [
|
|
||||||
{
|
|
||||||
"type": "insecureAcceptAnything"
|
|
||||||
}
|
|
||||||
]
|
|
||||||
},
|
|
||||||
"containers-storage": {
|
|
||||||
"": [
|
|
||||||
{
|
|
||||||
"type": "insecureAcceptAnything"
|
|
||||||
}
|
|
||||||
]
|
|
||||||
},
|
|
||||||
"dir": {
|
|
||||||
"": [
|
|
||||||
{
|
|
||||||
"type": "insecureAcceptAnything"
|
|
||||||
}
|
|
||||||
]
|
|
||||||
},
|
|
||||||
"oci": {
|
|
||||||
"": [
|
|
||||||
{
|
|
||||||
"type": "insecureAcceptAnything"
|
|
||||||
}
|
|
||||||
]
|
|
||||||
},
|
|
||||||
"oci-archive": {
|
|
||||||
"": [
|
|
||||||
{
|
|
||||||
"type": "insecureAcceptAnything"
|
|
||||||
}
|
|
||||||
]
|
|
||||||
},
|
|
||||||
"docker-archive": {
|
|
||||||
"": [
|
|
||||||
{
|
|
||||||
"type": "insecureAcceptAnything"
|
|
||||||
}
|
|
||||||
]
|
|
||||||
},
|
|
||||||
"tarball": {
|
|
||||||
"": [
|
|
||||||
{
|
|
||||||
"type": "insecureAcceptAnything"
|
|
||||||
}
|
|
||||||
]
|
|
||||||
}
|
|
||||||
}
|
|
||||||
}
|
|
||||||
@@ -1,3 +0,0 @@
|
|||||||
docker:
|
|
||||||
git.hydrosaber.com/IMAGENAME:
|
|
||||||
use-sigstore-attachments: true
|
|
||||||
@@ -24,6 +24,5 @@ modules:
|
|||||||
- from-file: components/default-flatpak.yml
|
- from-file: components/default-flatpak.yml
|
||||||
- from-file: components/chezmoi-module.yml
|
- from-file: components/chezmoi-module.yml
|
||||||
|
|
||||||
- type: hydro-os-signing
|
- type: signing
|
||||||
source: local
|
|
||||||
|
|
||||||
|
|||||||
@@ -26,6 +26,5 @@ modules:
|
|||||||
- from-file: components/chezmoi-module.yml
|
- from-file: components/chezmoi-module.yml
|
||||||
- type: initramfs
|
- type: initramfs
|
||||||
|
|
||||||
- type: hydro-os-signing
|
- type: signing
|
||||||
source: local
|
|
||||||
|
|
||||||
|
|||||||
Reference in New Issue
Block a user