From 3e6c9fae7b2df303dda7ad59285802453412a0da Mon Sep 17 00:00:00 2001 From: Caleb Woodbine Date: Wed, 21 Feb 2024 10:44:09 +1300 Subject: [PATCH] feat: sign keyless tidy up --- .github/workflows/build.yml | 5 +- Containerfile | 1 - README.md | 8 +- cosign.pub | 4 - files/usr/etc/containers/policy.json | 183 +++++++++++++------------ hack/update-ii-image-in-policy-json.sh | 14 ++ 6 files changed, 111 insertions(+), 104 deletions(-) delete mode 100644 cosign.pub create mode 100755 hack/update-ii-image-in-policy-json.sh diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 756300b..935c6c9 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -139,11 +139,10 @@ jobs: - name: Sign container image if: github.event_name != 'pull_request' run: | - cosign sign -y --key env://COSIGN_PRIVATE_KEY ${{ steps.registry_case.outputs.lowercase }}/${{ steps.build_image.outputs.image }}@${TAGS} + cosign sign -y ${{ steps.registry_case.outputs.lowercase }}/${{ steps.build_image.outputs.image }}@${TAGS} env: TAGS: ${{ steps.push.outputs.digest }} - COSIGN_EXPERIMENTAL: false - COSIGN_PRIVATE_KEY: ${{ secrets.COSIGN_PRIVATE_KEY }} + COSIGN_YES: true - name: Echo outputs if: github.event_name != 'pull_request' diff --git a/Containerfile b/Containerfile index 8a03bda..a536e95 100644 --- a/Containerfile +++ b/Containerfile @@ -1,7 +1,6 @@ ARG VERSION="${VERSION:-latest}" FROM ghcr.io/ublue-os/silverblue-main:${VERSION} COPY files / -COPY cosign.pub /usr/etc/pki/containers/ii.pub RUN sed -i -e '0,/enabled=0/s//enabled=1/' /etc/yum.repos.d/fedora-updates-testing.repo && \ rpm-ostree install \ vim \ diff --git a/README.md b/README.md index c6dd483..b62371c 100644 --- a/README.md +++ b/README.md @@ -17,15 +17,9 @@ rpm-ostree reset rebase to the image ```shell -rpm-ostree rebase ostree-unverified-registry:ghcr.io/ii/image:latest -``` -(as root) -and reboot - -then rebase to the signed version -```shell rpm-ostree rebase ostree-image-signed:docker://ghcr.io/ii/image:latest ``` +(as root) ## Making changes diff --git a/cosign.pub b/cosign.pub deleted file mode 100644 index deebeb0..0000000 --- a/cosign.pub +++ /dev/null @@ -1,4 +0,0 @@ ------BEGIN PUBLIC KEY----- -MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEK+j64GjKLFk0gt3Wz+FVX117+l3d -njHGw1OBhnSFvCbnIWSwmood8uGP10RRClStxFvHz2YYvqlBZExHIpp3Ig== ------END PUBLIC KEY----- diff --git a/files/usr/etc/containers/policy.json b/files/usr/etc/containers/policy.json index 07eb16e..a8c92a9 100644 --- a/files/usr/etc/containers/policy.json +++ b/files/usr/etc/containers/policy.json @@ -1,95 +1,100 @@ { - "default": [ + "default": [ + { + "type": "reject" + } + ], + "transports": { + "docker": { + "registry.access.redhat.com": [ + { + "type": "signedBy", + "keyType": "GPGKeys", + "keyPath": "/etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release" + } + ], + "registry.redhat.io": [ + { + "type": "signedBy", + "keyType": "GPGKeys", + "keyPath": "/etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release" + } + ], + "ghcr.io/ii": [ + { + "type": "sigstoreSigned", + "fulcio": { + "caData": "-----BEGIN CERTIFICATE-----\nMIIB9zCCAXygAwIBAgIUALZNAPFdxHPwjeDloDwyYChAO/4wCgYIKoZIzj0EAwMw\nKjEVMBMGA1UEChMMc2lnc3RvcmUuZGV2MREwDwYDVQQDEwhzaWdzdG9yZTAeFw0y\nMTEwMDcxMzU2NTlaFw0zMTEwMDUxMzU2NThaMCoxFTATBgNVBAoTDHNpZ3N0b3Jl\nLmRldjERMA8GA1UEAxMIc2lnc3RvcmUwdjAQBgcqhkjOPQIBBgUrgQQAIgNiAAT7\nXeFT4rb3PQGwS4IajtLk3/OlnpgangaBclYpsYBr5i+4ynB07ceb3LP0OIOZdxex\nX69c5iVuyJRQ+Hz05yi+UF3uBWAlHpiS5sh0+H2GHE7SXrk1EC5m1Tr19L9gg92j\nYzBhMA4GA1UdDwEB/wQEAwIBBjAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBRY\nwB5fkUWlZql6zJChkyLQKsXF+jAfBgNVHSMEGDAWgBRYwB5fkUWlZql6zJChkyLQ\nKsXF+jAKBggqhkjOPQQDAwNpADBmAjEAj1nHeXZp+13NWBNa+EDsDP8G1WWg1tCM\nWP/WHPqpaVo0jhsweNFZgSs0eE7wYI4qAjEA2WB9ot98sIkoF3vZYdd3/VtWB5b9\nTNMea7Ix/stJ5TfcLLeABLE4BNJOsQ4vnBHJ\n-----END CERTIFICATE-----\n", + "oidcIssuer": "https://token.actions.githubusercontent.com", + "subjectEmail": "https://github.com/ii/image/.github/workflows/build.yml@refs/heads/main" + }, + "rekorPublicKeyData": "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE2G2Y+2tabdTV5BcGiBIx0a9fAFwr\nkBbmLSGtks4L3qX6yYY0zufBnhC8Ur/iy55GhWP/9A/bY2LhC30M9+RYtw==\n-----END PUBLIC KEY-----\n", + "signedIdentity": { + "type": "matchRepository" + } + } + ], + "": [ + { + "type": "insecureAcceptAnything" + } + ] + }, + "docker-daemon": { + "": [ + { + "type": "insecureAcceptAnything" + } + ] + }, + "atomic": { + "": [ { - "type": "reject" + "type": "insecureAcceptAnything" } - ], - "transports": { - "docker": { - "registry.access.redhat.com": [ - { - "type": "signedBy", - "keyType": "GPGKeys", - "keyPath": "/etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release" - } - ], - "registry.redhat.io": [ - { - "type": "signedBy", - "keyType": "GPGKeys", - "keyPath": "/etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release" - } - ], - "ghcr.io/ii": [ - { - "type": "sigstoreSigned", - "keyPath": "/usr/etc/pki/containers/ii.pub", - "signedIdentity": { - "type": "matchRepository" - } - } - ], - "": [ - { - "type": "insecureAcceptAnything" - } - ] - }, - "docker-daemon": { - "": [ - { - "type": "insecureAcceptAnything" - } - ] - }, - "atomic": { - "": [ - { - "type": "insecureAcceptAnything" - } - ] - }, - "containers-storage": { - "": [ - { - "type": "insecureAcceptAnything" - } - ] - }, - "dir": { - "": [ - { - "type": "insecureAcceptAnything" - } - ] - }, - "oci": { - "": [ - { - "type": "insecureAcceptAnything" - } - ] - }, - "oci-archive": { - "": [ - { - "type": "insecureAcceptAnything" - } - ] - }, - "docker-archive": { - "": [ - { - "type": "insecureAcceptAnything" - } - ] - }, - "tarball": { - "": [ - { - "type": "insecureAcceptAnything" - } - ] + ] + }, + "containers-storage": { + "": [ + { + "type": "insecureAcceptAnything" + } + ] + }, + "dir": { + "": [ + { + "type": "insecureAcceptAnything" + } + ] + }, + "oci": { + "": [ + { + "type": "insecureAcceptAnything" + } + ] + }, + "oci-archive": { + "": [ + { + "type": "insecureAcceptAnything" + } + ] + }, + "docker-archive": { + "": [ + { + "type": "insecureAcceptAnything" + } + ] + }, + "tarball": { + "": [ + { + "type": "insecureAcceptAnything" } + ] } + } } diff --git a/hack/update-ii-image-in-policy-json.sh b/hack/update-ii-image-in-policy-json.sh new file mode 100755 index 0000000..db2e3cc --- /dev/null +++ b/hack/update-ii-image-in-policy-json.sh @@ -0,0 +1,14 @@ +#!/usr/bin/env sh + +set -o errexit +set -o nounset + +cd "$(git rev-parse --show-toplevel)" || exit 1 +echo "$( \ + jq \ + --arg FULCIO_PUB "$(curl -sSL https://github.com/sigstore/root-signing/raw/main/targets/fulcio_v1.crt.pem | sed 's,$,\\n,g' | tr -d '\n')" \ + --arg REKOR_PUB "$(curl -sSL https://github.com/sigstore/root-signing/raw/main/targets/rekor.pub | sed 's,$,\\n,g' | tr -d '\n')" \ + '.transports.docker["ghcr.io/ii"][].rekorPublicKeyData = $REKOR_PUB | .transports.docker["ghcr.io/ii"][].fulcio.caData = $FULCIO_PUB' \ + files/usr/etc/containers/policy.json \ + )" \ + > files/usr/etc/containers/policy.json