From d2c98237f414b826d84cbb3199e9a9707ac67124 Mon Sep 17 00:00:00 2001 From: gerblesh <101901964+gerblesh@users.noreply.github.com> Date: Thu, 20 Jul 2023 22:35:59 -0700 Subject: [PATCH] feat: add support for image signing --- Containerfile | 4 ++ scripts/build.sh | 5 ++ usr/etc/containers/policy.json | 74 +++++++++++++++++++++ usr/etc/containers/registries.d/cosign.yaml | 3 + 4 files changed, 86 insertions(+) create mode 100644 usr/etc/containers/policy.json create mode 100644 usr/etc/containers/registries.d/cosign.yaml diff --git a/Containerfile b/Containerfile index 2789d151ea..9fdfc65718 100644 --- a/Containerfile +++ b/Containerfile @@ -23,6 +23,10 @@ ARG RECIPE=./recipe.yml # for manual overrides and editing by the machine's admin AFTER installation! # See issue #28 (https://github.com/ublue-os/startingpoint/issues/28). COPY usr /usr +# Copy public key +COPY ./cosign.pub /usr/etc/pki/containers/cosign.pub +# Copy base signing config +COPY ./usr/etc/containers /usr/etc/ # Copy the recipe that we're building. COPY ${RECIPE} /usr/share/ublue-os/recipe.yml diff --git a/scripts/build.sh b/scripts/build.sh index e0d330a7a2..6795ae65b3 100644 --- a/scripts/build.sh +++ b/scripts/build.sh @@ -22,6 +22,11 @@ YAFTI_ENABLED="$(get_yaml_string '.firstboot.yafti')" # Welcome. echo "Building custom Fedora ${FEDORA_VERSION} from image: \"${BASE_IMAGE}\"." +# Setup container signing +echo "Setup container signing in policy.json and cosign.yaml" +sed -i "s ghcr.io/ublue-os $IMAGE_REGISTRY g" /usr/etc/containers/policy.json +sed -i "s ghcr.io/ublue-os $IMAGE_REGISTRY g" /usr/etc/containers/registries.d/cosign.yaml + # Add custom repos. get_yaml_array repos '.rpm.repos[]' if [[ ${#repos[@]} -gt 0 ]]; then diff --git a/usr/etc/containers/policy.json b/usr/etc/containers/policy.json new file mode 100644 index 0000000000..aa4e3ee162 --- /dev/null +++ b/usr/etc/containers/policy.json @@ -0,0 +1,74 @@ +{ + "default": [ + { + "type": "reject" + } + ], + "transports": { + "docker": { + "registry.access.redhat.com": [ + { + "type": "signedBy", + "keyType": "GPGKeys", + "keyPath": "/etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release" + } + ], + "registry.redhat.io": [ + { + "type": "signedBy", + "keyType": "GPGKeys", + "keyPath": "/etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release" + } + ], + "ghcr.io/ublue-os": [ + { + "type": "sigstoreSigned", + "keyPath": "/usr/etc/pki/containers/cosign.pub", + "signedIdentity": { + "type": "matchRepository" + } + } + ], + "": [ + { + "type": "insecureAcceptAnything" + } + ] + }, + "docker-daemon": { + "": [ + { + "type": "insecureAcceptAnything" + } + ] + }, + "atomic": { + "": [ + { + "type": "insecureAcceptAnything" + } + ] + }, + "dir": { + "": [ + { + "type": "insecureAcceptAnything" + } + ] + }, + "oci": { + "": [ + { + "type": "insecureAcceptAnything" + } + ] + }, + "tarball": { + "": [ + { + "type": "insecureAcceptAnything" + } + ] + } + } +} diff --git a/usr/etc/containers/registries.d/cosign.yaml b/usr/etc/containers/registries.d/cosign.yaml new file mode 100644 index 0000000000..24b197fa1a --- /dev/null +++ b/usr/etc/containers/registries.d/cosign.yaml @@ -0,0 +1,3 @@ +docker: + ghcr.io/ublue-os: + use-sigstore-attachments: true