diff --git a/Containerfile b/Containerfile index c86846fcbe..dcbc6612b0 100644 --- a/Containerfile +++ b/Containerfile @@ -28,9 +28,7 @@ ARG IMAGE_REGISTRY=ghcr.io/ublue-os COPY usr /usr # Copy public key -COPY cosign.pub /usr/etc/pki/containers/cosign.pub -# Copy base signing config -COPY usr/etc/containers /usr/etc/ +COPY cosign.pub /usr/share/ublue-os/cosign.pub # Copy the recipe that we're building. COPY ${RECIPE} /usr/share/ublue-os/recipe.yml diff --git a/scripts/build.sh b/scripts/build.sh index b6d5ac6622..c5d43fffbf 100644 --- a/scripts/build.sh +++ b/scripts/build.sh @@ -22,12 +22,6 @@ YAFTI_ENABLED="$(get_yaml_string '.firstboot.yafti')" # Welcome. echo "Building custom Fedora ${FEDORA_VERSION} from image: \"${BASE_IMAGE}\"." -# Setup container signing -echo "Setup container signing in policy.json and cosign.yaml" -echo "Registry to write: $IMAGE_REGISTRY" -sed -i "s ghcr.io/ublue-os $IMAGE_REGISTRY g" /usr/etc/containers/policy.json -sed -i "s ghcr.io/ublue-os $IMAGE_REGISTRY g" /usr/etc/containers/registries.d/cosign.yaml - # Add custom repos. get_yaml_array repos '.rpm.repos[]' if [[ ${#repos[@]} -gt 0 ]]; then @@ -111,5 +105,34 @@ if [[ "${YAFTI_ENABLED}" == "true" ]]; then fi fi +# Setup container signing +echo "Setup container signing in policy.json and cosign.yaml" +echo "Registry to write: $IMAGE_REGISTRY" + +# Copy Name +NAME=$(get_yaml_string '.name') +cp /usr/share/ublue-os/cosign.pub /usr/etc/pki/containers/"$NAME".pub + +# Work around the fact that jq doesn't have an "inplace" option +FILE=/usr/etc/containers/policy.json +TMP=/tmp/policy.json + +jq '.transports.docker |= + {"'"$IMAGE_REGISTRY"'": [ + { + "type": "sigstoreSigned", + "keyPath": "/usr/etc/pki/containers/'"$NAME"'.pub", + "signedIdentity": { + "type": "matchRepository" + } + } + ] + } ++ .' $FILE > $TMP +mv -f $TMP $FILE + +cp /usr/etc/containers/registries.d/ublue-os.yaml /usr/etc/containers/registries.d/"$NAME".yaml +sed -i "s ghcr.io/ublue-os $IMAGE_REGISTRY g" /usr/etc/containers/registries.d/"$NAME".yaml + # Run "post" scripts. run_scripts "post"