chore(recipe): Allow changing the public key used to verify base image

blue-build · Jan 3, 2024 · 2b5f6aa · 2b5f6aa
1 parent 52e6a45
commit 2b5f6aa
Show file tree

Hide file tree

Showing 2 changed files with 4 additions and 0 deletions.
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
@@ -80,11 +80,13 @@ jobs:
           BASE_IMAGE=$(yq '.base-image' ./config/${{ matrix.recipe }})
           echo "BASE_IMAGE_URL=$BASE_IMAGE" >> $GITHUB_ENV
           echo "BASE_IMAGE_NAME=$(echo $BASE_IMAGE | sed 's/.*\/.*\///')" >> $GITHUB_ENV
+          echo "BASE_IMAGE_PUBKEY=$(yq '.base-image-pubkey' ./config/${{ matrix.recipe }})" >> $GITHUB_ENV
 
       - name: Verify base image
         uses: EyeCantCU/cosign-action/[email protected]
         with:
           containers: ${{ env.BASE_IMAGE_NAME }}:${{ env.IMAGE_MAJOR_VERSION }}
+          pubkey: ${{ env.BASE_IMAGE_PUBKEY }}
 
       - name: Get current version
         id: labels

diff --git a/config/recipe.yml b/config/recipe.yml
@@ -5,6 +5,8 @@ description: A starting point for further customization of uBlue images. Make yo
 
 # the base image to build on top of (FROM) and the version tag to use
 base-image: ghcr.io/ublue-os/silverblue-main
+# public key used by base image, default is key used by Universal Blue
+base-image-pubkey: 'https://raw.githubusercontent.com/ublue-os/main/main/cosign.pub'
 image-version: 39 # latest is also supported if you want new updates ASAP
 
 # module configuration, executed in order