chunking-signing-daily #17
@@ -1,72 +0,0 @@
|
||||
#!/usr/bin/env bash
|
||||
|
||||
# derived from wayblue repository, modified to work with hydro-os
|
||||
|
||||
# Tell build process to exit if there are any errors.
|
||||
set -euo pipefail
|
||||
|
||||
CONTAINER_DIR="/usr/etc/containers"
|
||||
ETC_CONTAINER_DIR="/etc/containers"
|
||||
MODULE_DIRECTORY="${MODULE_DIRECTORY:-"/tmp/modules"}"
|
||||
IMAGE_NAME_FILE="${IMAGE_NAME//\//_}"
|
||||
IMAGE_REGISTRY_TITLE=$(echo "$IMAGE_REGISTRY" | cut -d'/' -f2-)
|
||||
|
||||
echo "Setting up container signing in policy.json and cosign.yaml for $IMAGE_NAME"
|
||||
echo "Registry to write: $IMAGE_REGISTRY"
|
||||
|
||||
if ! [ -d "$CONTAINER_DIR" ]; then
|
||||
mkdir -p "$CONTAINER_DIR"
|
||||
fi
|
||||
|
||||
if ! [ -d "$ETC_CONTAINER_DIR" ]; then
|
||||
mkdir -p "$ETC_CONTAINER_DIR"
|
||||
fi
|
||||
|
||||
if ! [ -d $CONTAINER_DIR/registries.d ]; then
|
||||
mkdir -p "$CONTAINER_DIR/registries.d"
|
||||
fi
|
||||
|
||||
if ! [ -d $ETC_CONTAINER_DIR/registries.d ]; then
|
||||
mkdir -p "$ETC_CONTAINER_DIR/registries.d"
|
||||
fi
|
||||
|
||||
if ! [ -d "/usr/etc/pki/containers" ]; then
|
||||
mkdir -p "/usr/etc/pki/containers"
|
||||
fi
|
||||
|
||||
if ! [ -d "/etc/pki/containers" ]; then
|
||||
mkdir -p "/etc/pki/containers"
|
||||
fi
|
||||
|
||||
cp "$MODULE_DIRECTORY/hydro-os-signing/policy.json" $CONTAINER_DIR/policy.json
|
||||
cp "$MODULE_DIRECTORY/hydro-os-signing/policy.json" $ETC_CONTAINER_DIR/policy.json
|
||||
|
||||
# covering our bases here since /usr/etc is technically unsupported, reevaluate once bootc is the primary deployment tool
|
||||
cp "/etc/pki/containers/$IMAGE_NAME.pub" "/usr/etc/pki/containers/$IMAGE_REGISTRY_TITLE.pub"
|
||||
cp "/etc/pki/containers/$IMAGE_NAME.pub" "/etc/pki/containers/$IMAGE_REGISTRY_TITLE.pub"
|
||||
rm "/etc/pki/containers/$IMAGE_NAME.pub"
|
||||
|
||||
POLICY_FILE="$CONTAINER_DIR/policy.json"
|
||||
|
||||
jq --arg image_registry "${IMAGE_REGISTRY}" \
|
||||
--arg image_registry_title "${IMAGE_REGISTRY_TITLE}" \
|
||||
'.transports.docker |=
|
||||
{ $image_registry: [
|
||||
{
|
||||
"type": "sigstoreSigned",
|
||||
"keyPath": ("/usr/etc/pki/containers/" + $image_registry_title + ".pub"),
|
||||
"signedIdentity": {
|
||||
"type": "matchRepository"
|
||||
}
|
||||
}
|
||||
] } + .' "${POLICY_FILE}" > POLICY.tmp
|
||||
|
||||
# covering our bases here since /usr/etc is technically unsupported, reevaluate once bootc is the primary deployment tool
|
||||
cp POLICY.tmp /usr/etc/containers/policy.json
|
||||
cp POLICY.tmp /etc/containers/policy.json
|
||||
rm POLICY.tmp
|
||||
|
||||
sed -i "s git.hydrosaber.com/IMAGENAME $IMAGE_REGISTRY g" "$MODULE_DIRECTORY/hydro-os-signing/registry-config.yaml"
|
||||
cp "$MODULE_DIRECTORY/hydro-os-signing/registry-config.yaml" "$CONTAINER_DIR/registries.d/$IMAGE_REGISTRY_TITLE.yaml"
|
||||
cp "$MODULE_DIRECTORY/hydro-os-signing/registry-config.yaml" "$ETC_CONTAINER_DIR/registries.d/$IMAGE_REGISTRY_TITLE.yaml"
|
||||
rm "$MODULE_DIRECTORY/hydro-os-signing/registry-config.yaml"
|
||||
@@ -1,4 +0,0 @@
|
||||
name: hydro-os-signing
|
||||
shortdesc: The signing module is used to install the required signing policies for cosign image verification with rpm-ostree and bootc. Taken from wayblue.
|
||||
example: |
|
||||
type: hydro-os-signing # This sets up the proper policy and signing files for signed images to work fully
|
||||
@@ -1,104 +0,0 @@
|
||||
{
|
||||
"default": [
|
||||
{
|
||||
"type": "reject"
|
||||
}
|
||||
],
|
||||
"transports": {
|
||||
"docker": {
|
||||
"registry.access.redhat.com": [
|
||||
{
|
||||
"type": "signedBy",
|
||||
"keyType": "GPGKeys",
|
||||
"keyPath": "/usr/etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release"
|
||||
}
|
||||
],
|
||||
"registry.redhat.io": [
|
||||
{
|
||||
"type": "signedBy",
|
||||
"keyType": "GPGKeys",
|
||||
"keyPath": "/usr/etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release"
|
||||
}
|
||||
],
|
||||
"quay.io/toolbx-images": [
|
||||
{
|
||||
"type": "sigstoreSigned",
|
||||
"keyPath": "/usr/etc/pki/containers/quay.io-toolbx-images.pub",
|
||||
"signedIdentity": {
|
||||
"type": "matchRepository"
|
||||
}
|
||||
}
|
||||
],
|
||||
"ghcr.io/ublue-os": [
|
||||
{
|
||||
"type": "sigstoreSigned",
|
||||
"keyPath": "/usr/etc/pki/containers/ublue-os.pub",
|
||||
"signedIdentity": {
|
||||
"type": "matchRepository"
|
||||
}
|
||||
}
|
||||
],
|
||||
"": [
|
||||
{
|
||||
"type": "insecureAcceptAnything"
|
||||
}
|
||||
]
|
||||
},
|
||||
"docker-daemon": {
|
||||
"": [
|
||||
{
|
||||
"type": "insecureAcceptAnything"
|
||||
}
|
||||
]
|
||||
},
|
||||
"atomic": {
|
||||
"": [
|
||||
{
|
||||
"type": "insecureAcceptAnything"
|
||||
}
|
||||
]
|
||||
},
|
||||
"containers-storage": {
|
||||
"": [
|
||||
{
|
||||
"type": "insecureAcceptAnything"
|
||||
}
|
||||
]
|
||||
},
|
||||
"dir": {
|
||||
"": [
|
||||
{
|
||||
"type": "insecureAcceptAnything"
|
||||
}
|
||||
]
|
||||
},
|
||||
"oci": {
|
||||
"": [
|
||||
{
|
||||
"type": "insecureAcceptAnything"
|
||||
}
|
||||
]
|
||||
},
|
||||
"oci-archive": {
|
||||
"": [
|
||||
{
|
||||
"type": "insecureAcceptAnything"
|
||||
}
|
||||
]
|
||||
},
|
||||
"docker-archive": {
|
||||
"": [
|
||||
{
|
||||
"type": "insecureAcceptAnything"
|
||||
}
|
||||
]
|
||||
},
|
||||
"tarball": {
|
||||
"": [
|
||||
{
|
||||
"type": "insecureAcceptAnything"
|
||||
}
|
||||
]
|
||||
}
|
||||
}
|
||||
}
|
||||
@@ -1,3 +0,0 @@
|
||||
docker:
|
||||
git.hydrosaber.com/IMAGENAME:
|
||||
use-sigstore-attachments: true
|
||||
@@ -24,6 +24,5 @@ modules:
|
||||
- from-file: components/default-flatpak.yml
|
||||
- from-file: components/chezmoi-module.yml
|
||||
|
||||
- type: hydro-os-signing
|
||||
source: local
|
||||
- type: signing
|
||||
|
||||
|
||||
@@ -26,6 +26,5 @@ modules:
|
||||
- from-file: components/chezmoi-module.yml
|
||||
- type: initramfs
|
||||
|
||||
- type: hydro-os-signing
|
||||
source: local
|
||||
- type: signing
|
||||
|
||||
|
||||
Reference in New Issue
Block a user