diff --git a/Containerfile b/Containerfile index 9b5990327e..c86846fcbe 100644 --- a/Containerfile +++ b/Containerfile @@ -29,6 +29,8 @@ COPY usr /usr # Copy public key COPY cosign.pub /usr/etc/pki/containers/cosign.pub +# Copy base signing config +COPY usr/etc/containers /usr/etc/ # Copy the recipe that we're building. COPY ${RECIPE} /usr/share/ublue-os/recipe.yml diff --git a/scripts/build.sh b/scripts/build.sh index 3f2561552c..b6d5ac6622 100644 --- a/scripts/build.sh +++ b/scripts/build.sh @@ -22,6 +22,12 @@ YAFTI_ENABLED="$(get_yaml_string '.firstboot.yafti')" # Welcome. echo "Building custom Fedora ${FEDORA_VERSION} from image: \"${BASE_IMAGE}\"." +# Setup container signing +echo "Setup container signing in policy.json and cosign.yaml" +echo "Registry to write: $IMAGE_REGISTRY" +sed -i "s ghcr.io/ublue-os $IMAGE_REGISTRY g" /usr/etc/containers/policy.json +sed -i "s ghcr.io/ublue-os $IMAGE_REGISTRY g" /usr/etc/containers/registries.d/cosign.yaml + # Add custom repos. get_yaml_array repos '.rpm.repos[]' if [[ ${#repos[@]} -gt 0 ]]; then @@ -105,20 +111,5 @@ if [[ "${YAFTI_ENABLED}" == "true" ]]; then fi fi -# Setup container signing -echo "Setup container signing in policy.json and cosign.yaml" -echo "Registry to write: $IMAGE_REGISTRY" - -jq '.transports.docker."$IMAGE_REGISTRY" += [{ - "type": "sigstoreSigned", - "keyPath": "/usr/etc/pki/containers/cosign.pub", - "signedIdentity": { - "type": "matchRepository" - } -}]' /usr/etc/containers/policy.json > /usr/etc/containers/policy.json - -cp /usr/etc/containers/registries.d/ublue-os.yaml /usr/etc/containers/registries.d/cosign.yaml -sed -i "s ghcr.io/ublue-os $IMAGE_REGISTRY g" /usr/etc/containers/registries.d/cosign.yaml - # Run "post" scripts. run_scripts "post" diff --git a/usr/etc/containers/policy.json b/usr/etc/containers/policy.json new file mode 100644 index 0000000000..aa4e3ee162 --- /dev/null +++ b/usr/etc/containers/policy.json @@ -0,0 +1,74 @@ +{ + "default": [ + { + "type": "reject" + } + ], + "transports": { + "docker": { + "registry.access.redhat.com": [ + { + "type": "signedBy", + "keyType": "GPGKeys", + "keyPath": "/etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release" + } + ], + "registry.redhat.io": [ + { + "type": "signedBy", + "keyType": "GPGKeys", + "keyPath": "/etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release" + } + ], + "ghcr.io/ublue-os": [ + { + "type": "sigstoreSigned", + "keyPath": "/usr/etc/pki/containers/cosign.pub", + "signedIdentity": { + "type": "matchRepository" + } + } + ], + "": [ + { + "type": "insecureAcceptAnything" + } + ] + }, + "docker-daemon": { + "": [ + { + "type": "insecureAcceptAnything" + } + ] + }, + "atomic": { + "": [ + { + "type": "insecureAcceptAnything" + } + ] + }, + "dir": { + "": [ + { + "type": "insecureAcceptAnything" + } + ] + }, + "oci": { + "": [ + { + "type": "insecureAcceptAnything" + } + ] + }, + "tarball": { + "": [ + { + "type": "insecureAcceptAnything" + } + ] + } + } +} diff --git a/usr/etc/containers/registries.d/cosign.yaml b/usr/etc/containers/registries.d/cosign.yaml new file mode 100644 index 0000000000..24b197fa1a --- /dev/null +++ b/usr/etc/containers/registries.d/cosign.yaml @@ -0,0 +1,3 @@ +docker: + ghcr.io/ublue-os: + use-sigstore-attachments: true