feat: sign keyless

tidy up
ii · Feb 21, 2024 · 3e6c9fa · 3e6c9fa
1 parent e1f3bb4
commit 3e6c9fa
Show file tree

Hide file tree

Showing 6 changed files with 111 additions and 104 deletions.
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
@@ -139,11 +139,10 @@ jobs:
       - name: Sign container image
         if: github.event_name != 'pull_request'
         run: |
-          cosign sign -y --key env://COSIGN_PRIVATE_KEY ${{ steps.registry_case.outputs.lowercase }}/${{ steps.build_image.outputs.image }}@${TAGS}
+          cosign sign -y ${{ steps.registry_case.outputs.lowercase }}/${{ steps.build_image.outputs.image }}@${TAGS}
         env:
           TAGS: ${{ steps.push.outputs.digest }}
-          COSIGN_EXPERIMENTAL: false
-          COSIGN_PRIVATE_KEY: ${{ secrets.COSIGN_PRIVATE_KEY }}
+          COSIGN_YES: true
 
       - name: Echo outputs
         if: github.event_name != 'pull_request'

diff --git a/Containerfile b/Containerfile
@@ -1,7 +1,6 @@
 ARG VERSION="${VERSION:-latest}"
 FROM ghcr.io/ublue-os/silverblue-main:${VERSION}
 COPY files /
-COPY cosign.pub /usr/etc/pki/containers/ii.pub
 RUN sed -i -e '0,/enabled=0/s//enabled=1/' /etc/yum.repos.d/fedora-updates-testing.repo && \
   rpm-ostree install \
     vim \

diff --git a/README.md b/README.md
@@ -17,15 +17,9 @@ rpm-ostree reset
 
 rebase to the image
 ```shell
-rpm-ostree rebase ostree-unverified-registry:ghcr.io/ii/image:latest
-```
-(as root)
-and reboot
-
-then rebase to the signed version
-```shell
 rpm-ostree rebase ostree-image-signed:docker://ghcr.io/ii/image:latest
 ```
+(as root)
 
 ## Making changes
 

diff --git a/cosign.pub b/cosign.pub
diff --git a/files/usr/etc/containers/policy.json b/files/usr/etc/containers/policy.json
@@ -1,95 +1,100 @@
 {
-    "default": [
+  "default": [
+    {
+      "type": "reject"
+    }
+  ],
+  "transports": {
+    "docker": {
+      "registry.access.redhat.com": [
+        {
+          "type": "signedBy",
+          "keyType": "GPGKeys",
+          "keyPath": "/etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release"
+        }
+      ],
+      "registry.redhat.io": [
+        {
+          "type": "signedBy",
+          "keyType": "GPGKeys",
+          "keyPath": "/etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release"
+        }
+      ],
+      "ghcr.io/ii": [
+        {
+          "type": "sigstoreSigned",
+          "fulcio": {
+            "caData": "-----BEGIN CERTIFICATE-----\nMIIB9zCCAXygAwIBAgIUALZNAPFdxHPwjeDloDwyYChAO/4wCgYIKoZIzj0EAwMw\nKjEVMBMGA1UEChMMc2lnc3RvcmUuZGV2MREwDwYDVQQDEwhzaWdzdG9yZTAeFw0y\nMTEwMDcxMzU2NTlaFw0zMTEwMDUxMzU2NThaMCoxFTATBgNVBAoTDHNpZ3N0b3Jl\nLmRldjERMA8GA1UEAxMIc2lnc3RvcmUwdjAQBgcqhkjOPQIBBgUrgQQAIgNiAAT7\nXeFT4rb3PQGwS4IajtLk3/OlnpgangaBclYpsYBr5i+4ynB07ceb3LP0OIOZdxex\nX69c5iVuyJRQ+Hz05yi+UF3uBWAlHpiS5sh0+H2GHE7SXrk1EC5m1Tr19L9gg92j\nYzBhMA4GA1UdDwEB/wQEAwIBBjAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBRY\nwB5fkUWlZql6zJChkyLQKsXF+jAfBgNVHSMEGDAWgBRYwB5fkUWlZql6zJChkyLQ\nKsXF+jAKBggqhkjOPQQDAwNpADBmAjEAj1nHeXZp+13NWBNa+EDsDP8G1WWg1tCM\nWP/WHPqpaVo0jhsweNFZgSs0eE7wYI4qAjEA2WB9ot98sIkoF3vZYdd3/VtWB5b9\nTNMea7Ix/stJ5TfcLLeABLE4BNJOsQ4vnBHJ\n-----END CERTIFICATE-----\n",
+            "oidcIssuer": "https://token.actions.githubusercontent.com",
+            "subjectEmail": "https://github.com/ii/image/.github/workflows/build.yml@refs/heads/main"
+          },
+          "rekorPublicKeyData": "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE2G2Y+2tabdTV5BcGiBIx0a9fAFwr\nkBbmLSGtks4L3qX6yYY0zufBnhC8Ur/iy55GhWP/9A/bY2LhC30M9+RYtw==\n-----END PUBLIC KEY-----\n",
+          "signedIdentity": {
+            "type": "matchRepository"
+          }
+        }
+      ],
+      "": [
+        {
+          "type": "insecureAcceptAnything"
+        }
+      ]
+    },
+    "docker-daemon": {
+      "": [
+        {
+          "type": "insecureAcceptAnything"
+        }
+      ]
+    },
+    "atomic": {
+      "": [
         {
-            "type": "reject"
+          "type": "insecureAcceptAnything"
         }
-    ],
-    "transports": {
-        "docker": {
-            "registry.access.redhat.com": [
-                {
-                    "type": "signedBy",
-                    "keyType": "GPGKeys",
-                    "keyPath": "/etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release"
-                }
-            ],
-            "registry.redhat.io": [
-                {
-                    "type": "signedBy",
-                    "keyType": "GPGKeys",
-                    "keyPath": "/etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release"
-                }
-            ],
-            "ghcr.io/ii": [
-                {
-                    "type": "sigstoreSigned",
-                    "keyPath": "/usr/etc/pki/containers/ii.pub",
-                    "signedIdentity": {
-                        "type": "matchRepository"
-                    }
-                }
-            ],
-            "": [
-                {
-                    "type": "insecureAcceptAnything"
-                }
-            ]
-        },
-        "docker-daemon": {
-            "": [
-                {
-                    "type": "insecureAcceptAnything"
-                }
-            ]
-        },
-        "atomic": {
-            "": [
-                {
-                    "type": "insecureAcceptAnything"
-                }
-            ]
-        },
-        "containers-storage": {
-            "": [
-                {
-                    "type": "insecureAcceptAnything"
-                }
-            ]
-        },
-        "dir": {
-            "": [
-                {
-                    "type": "insecureAcceptAnything"
-                }
-            ]
-        },
-        "oci": {
-            "": [
-                {
-                    "type": "insecureAcceptAnything"
-                }
-            ]
-        },
-        "oci-archive": {
-            "": [
-                {
-                    "type": "insecureAcceptAnything"
-                }
-            ]
-        },
-        "docker-archive": {
-            "": [
-                {
-                    "type": "insecureAcceptAnything"
-                }
-            ]
-        },
-        "tarball": {
-            "": [
-                {
-                    "type": "insecureAcceptAnything"
-                }
-            ]
+      ]
+    },
+    "containers-storage": {
+      "": [
+        {
+          "type": "insecureAcceptAnything"
+        }
+      ]
+    },
+    "dir": {
+      "": [
+        {
+          "type": "insecureAcceptAnything"
+        }
+      ]
+    },
+    "oci": {
+      "": [
+        {
+          "type": "insecureAcceptAnything"
+        }
+      ]
+    },
+    "oci-archive": {
+      "": [
+        {
+          "type": "insecureAcceptAnything"
+        }
+      ]
+    },
+    "docker-archive": {
+      "": [
+        {
+          "type": "insecureAcceptAnything"
+        }
+      ]
+    },
+    "tarball": {
+      "": [
+        {
+          "type": "insecureAcceptAnything"
         }
+      ]
     }
+  }
 }
diff --git a/hack/update-ii-image-in-policy-json.sh b/hack/update-ii-image-in-policy-json.sh
@@ -0,0 +1,14 @@
+#!/usr/bin/env sh
+
+set -o errexit
+set -o nounset
+
+cd "$(git rev-parse --show-toplevel)" || exit 1
+echo "$( \
+    jq \
+    --arg FULCIO_PUB "$(curl -sSL https://github.com/sigstore/root-signing/raw/main/targets/fulcio_v1.crt.pem | sed 's,$,\\n,g' | tr -d '\n')" \
+    --arg REKOR_PUB "$(curl -sSL https://github.com/sigstore/root-signing/raw/main/targets/rekor.pub | sed 's,$,\\n,g' | tr -d '\n')" \
+    '.transports.docker["ghcr.io/ii"][].rekorPublicKeyData = $REKOR_PUB | .transports.docker["ghcr.io/ii"][].fulcio.caData = $FULCIO_PUB' \
+    files/usr/etc/containers/policy.json \
+    )" \
+    > files/usr/etc/containers/policy.json