feat: Add image-signing.sh

zelikos · Jun 16, 2024 · 4d4abb8 · 4d4abb8
1 parent 5514c18
commit 4d4abb8
Show file tree

Hide file tree

Showing 3 changed files with 33 additions and 5 deletions.
diff --git a/scripts/base/build-base.sh b/scripts/base/build-base.sh
@@ -3,6 +3,7 @@
 set -ouex pipefail
 
 . /tmp/base/image-info.sh
+. /tmp/base/image-signing.sh
 . /tmp/base/install-fonts.sh
 . /tmp/base/base-packages.sh
 

diff --git a/scripts/base/image-info.sh b/scripts/base/image-info.sh
@@ -1,9 +1,6 @@
-#!/usr/bin/env bash
+#!/usrbin/env bash
 
-# Tell this script to exit if there are any errors.
-# You should have this in every custom script, to ensure that your completed
-# builds actually ran successfully without any errors!
-set -oue pipefail
+set -ouex pipefail
 
 if grep -q "kinoite" <<< "${SOURCE_IMAGE}"; then
   sed -i '/^PRETTY_NAME/s/Kinoite/Zeliblue Plasma/' /usr/lib/os-release

diff --git a/scripts/base/image-signing.sh b/scripts/base/image-signing.sh
@@ -0,0 +1,30 @@
+#!/usrbin/env bash
+
+set -ouex pipefail
+
+IMAGE_NAME=zeliblue
+IMAGE_REGISTRY=ghcr.io/zelikos
+IMAGE_INFO=/usr/share/zeliblue/image-info.json
+
+echo "Setting up container signing in policy.json and cosign.yaml for $IMAGE_NAME"
+echo "Registry to write: $IMAGE_REGISTRY"
+
+cp /usr/share/ublue-os/cosign.pub /usr/etc/pki/containers/"$IMAGE_NAME".pub
+
+FILE=/usr/etc/containers/policy.json
+
+yq -i -o=j '.transports.docker |=
+    {"'"$IMAGE_REGISTRY"'/'"$IMAGE_NAME"'": [
+            {
+                "type": "sigstoreSigned",
+                "keyPath": "/usr/etc/pki/containers/'"$IMAGE_NAME"'.pub",
+                "signedIdentity": {
+                    "type": "matchRepository"
+                }
+            }
+        ]
+    }
++ .' "$FILE"
+
+cp /usr/etc/containers/registries.d/ublue-os.yaml /usr/etc/containers/registries.d/"$IMAGE_NAME".yaml
+sed -i "s ghcr.io/ublue-os $IMAGE_REGISTRY g" /usr/etc/containers/registries.d/"$IMAGE_NAME".yaml