Revert "refactor: clean up image signing to line up more with upstream"

blue-build · Jul 23, 2023 · 0447b18 · 0447b18
1 parent ebdc55c
commit 0447b18
Show file tree

Hide file tree

Showing 4 changed files with 85 additions and 15 deletions.
diff --git a/Containerfile b/Containerfile
@@ -29,6 +29,8 @@ COPY usr /usr
 
 # Copy public key
 COPY cosign.pub /usr/etc/pki/containers/cosign.pub
+# Copy base signing config
+COPY usr/etc/containers /usr/etc/
 
 # Copy the recipe that we're building.
 COPY ${RECIPE} /usr/share/ublue-os/recipe.yml

diff --git a/scripts/build.sh b/scripts/build.sh
@@ -22,6 +22,12 @@ YAFTI_ENABLED="$(get_yaml_string '.firstboot.yafti')"
 # Welcome.
 echo "Building custom Fedora ${FEDORA_VERSION} from image: \"${BASE_IMAGE}\"."
 
+# Setup container signing
+echo "Setup container signing in policy.json and cosign.yaml"
+echo "Registry to write: $IMAGE_REGISTRY"
+sed -i "s ghcr.io/ublue-os $IMAGE_REGISTRY g" /usr/etc/containers/policy.json
+sed -i "s ghcr.io/ublue-os $IMAGE_REGISTRY g" /usr/etc/containers/registries.d/cosign.yaml
+
 # Add custom repos.
 get_yaml_array repos '.rpm.repos[]'
 if [[ ${#repos[@]} -gt 0 ]]; then
@@ -105,20 +111,5 @@ if [[ "${YAFTI_ENABLED}" == "true" ]]; then
  fi
 fi
 
-# Setup container signing
-echo "Setup container signing in policy.json and cosign.yaml"
-echo "Registry to write: $IMAGE_REGISTRY"
-
-jq '.transports.docker."$IMAGE_REGISTRY" += [{
- "type": "sigstoreSigned",
- "keyPath": "/usr/etc/pki/containers/cosign.pub",
- "signedIdentity": {
- "type": "matchRepository"
- }
-}]' /usr/etc/containers/policy.json > /usr/etc/containers/policy.json
-
-cp /usr/etc/containers/registries.d/ublue-os.yaml /usr/etc/containers/registries.d/cosign.yaml
-sed -i "s ghcr.io/ublue-os $IMAGE_REGISTRY g" /usr/etc/containers/registries.d/cosign.yaml
-
 # Run "post" scripts.
 run_scripts "post"
diff --git a/usr/etc/containers/policy.json b/usr/etc/containers/policy.json
@@ -0,0 +1,74 @@
+{
+ "default": [
+ {
+ "type": "reject"
+ }
+ ],
+ "transports": {
+ "docker": {
+ "registry.access.redhat.com": [
+ {
+ "type": "signedBy",
+ "keyType": "GPGKeys",
+ "keyPath": "/etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release"
+ }
+ ],
+ "registry.redhat.io": [
+ {
+ "type": "signedBy",
+ "keyType": "GPGKeys",
+ "keyPath": "/etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release"
+ }
+ ],
+ "ghcr.io/ublue-os": [
+ {
+ "type": "sigstoreSigned",
+ "keyPath": "/usr/etc/pki/containers/cosign.pub",
+ "signedIdentity": {
+ "type": "matchRepository"
+ }
+ }
+ ],
+ "": [
+ {
+ "type": "insecureAcceptAnything"
+ }
+ ]
+ },
+ "docker-daemon": {
+ "": [
+ {
+ "type": "insecureAcceptAnything"
+ }
+ ]
+ },
+ "atomic": {
+ "": [
+ {
+ "type": "insecureAcceptAnything"
+ }
+ ]
+ },
+ "dir": {
+ "": [
+ {
+ "type": "insecureAcceptAnything"
+ }
+ ]
+ },
+ "oci": {
+ "": [
+ {
+ "type": "insecureAcceptAnything"
+ }
+ ]
+ },
+ "tarball": {
+ "": [
+ {
+ "type": "insecureAcceptAnything"
+ }
+ ]
+ }
+ }
+}
diff --git a/usr/etc/containers/registries.d/cosign.yaml b/usr/etc/containers/registries.d/cosign.yaml
@@ -0,0 +1,3 @@
+docker:
+ ghcr.io/ublue-os:
+ use-sigstore-attachments: true