From 60d74e07ce2e59ce90ad8aa8c8d119f2adbcf4f5 Mon Sep 17 00:00:00 2001 From: Sam Clark <1059176+samhclark@users.noreply.github.com> Date: Sat, 28 Sep 2024 23:01:25 -0500 Subject: [PATCH] Rebase on Fedora Silverblue 41 Add rebasing info to README Include the config files in the image This is to allow a two-stage rebase which bootstraps things a little easier. --- .github/workflows/build.yaml | 4 +- Containerfile | 5 +- README.md | 35 ++++++++ overlay-root/usr/etc/containers/policy.json | 86 +++++++++++++++++++ .../containers/registries.d/50-docker.yaml | 3 + .../usr/etc/pki/cosign/cosign.pub | 0 packages.json | 6 +- 7 files changed, 129 insertions(+), 10 deletions(-) create mode 100644 overlay-root/usr/etc/containers/policy.json create mode 100644 overlay-root/usr/etc/containers/registries.d/50-docker.yaml rename cosign.pub => overlay-root/usr/etc/pki/cosign/cosign.pub (100%) diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml index 808a973..e30366a 100644 --- a/.github/workflows/build.yaml +++ b/.github/workflows/build.yaml @@ -21,7 +21,7 @@ jobs: image_name: custom-silverblue tags: | ${{ github.sha }} - 40 + 41 secrets: cosign_password: ${{ secrets.COSIGN_PASSWORD }} - cosign_private_key: ${{ secrets.COSIGN_PRIVATE_KEY }} \ No newline at end of file + cosign_private_key: ${{ secrets.COSIGN_PRIVATE_KEY }} diff --git a/Containerfile b/Containerfile index 4622453..1655511 100644 --- a/Containerfile +++ b/Containerfile @@ -1,8 +1,7 @@ -ARG silverblue_version=40 +ARG silverblue_version=41 FROM quay.io/fedora-ostree-desktops/silverblue:${silverblue_version} -COPY cosign.pub /etc/pki/cosign/cosign.pub -COPY overlay-root/etc/ /etc/ +COPY overlay-root/ / RUN mkdir -p /var/opt \ && mkdir -p /usr/lib/opt/google \ diff --git a/README.md b/README.md index 6af73ab..b5a6c8b 100644 --- a/README.md +++ b/README.md @@ -2,6 +2,41 @@ Following Jorge Castro's lead and making my own spin on Silverblue +## Rebasing onto this image + +This bootstrapping process helps get the public keys onto your machine +and makes sure everything is configured right. + +From another Silverblue based image, first, rebase onto the _unverified_ image. + +``` +rpm-ostree rebase ostree-unverified-registry:ghcr.io/samhclark/custom-silverblue:41 +``` + +Optional: Manually verify that the image you just rebased onto is signed. + +``` +$ wget -O - https://raw.githubusercontent.com/samhclark/custom-silverblue/refs/heads/main/overlay-root/usr/etc/pki/cosign/cosign.pub \ + | cosign verify --key /dev/stdin ghcr.io/samhclark/custom-silverblue@$( \ + rpm-ostree status \ + | head -n 7 \ + | grep -o 'sha256:[a-f0-9]\{64\}' \ + ) +``` + +If the above command fails (returns with a non-zero exit code), then you should abort the rebase + +``` +rpm-ostree cleanup --pending +``` + +Assuming it succeeded, then reboot: `systemctl reboot`. +After that, rebase onto the signed image. + +``` +rpm-ostree rebase ostree-image-signed:docker://ghcr.io/samhclark/custom-silverblue:41 +``` + ## Google Linux Signing Keys Google does something weird with their keys for signing RPMs. diff --git a/overlay-root/usr/etc/containers/policy.json b/overlay-root/usr/etc/containers/policy.json new file mode 100644 index 0000000..2b939bd --- /dev/null +++ b/overlay-root/usr/etc/containers/policy.json @@ -0,0 +1,86 @@ +{ + "default": [ + { + "type": "reject" + } + ], + "transports": { + "docker": { + "ghcr.io/samhclark/custom-silverblue:40": [ + { + "type": "insecureAcceptAnything" + } + ], + "ghcr.io/samhclark": [ + { + "type": "sigstoreSigned", + "keyPath": "/etc/pki/cosign/cosign.pub", + "signedIdentity": { + "type": "matchRepository" + } + } + ], + "": [ + { + "type": "insecureAcceptAnything" + } + ] + }, + "docker-daemon": { + "": [ + { + "type": "insecureAcceptAnything" + } + ] + }, + "atomic": { + "": [ + { + "type": "insecureAcceptAnything" + } + ] + }, + "containers-storage": { + "": [ + { + "type": "insecureAcceptAnything" + } + ] + }, + "dir": { + "": [ + { + "type": "insecureAcceptAnything" + } + ] + }, + "oci": { + "": [ + { + "type": "insecureAcceptAnything" + } + ] + }, + "oci-archive": { + "": [ + { + "type": "insecureAcceptAnything" + } + ] + }, + "docker-archive": { + "": [ + { + "type": "insecureAcceptAnything" + } + ] + }, + "tarball": { + "": [ + { + "type": "insecureAcceptAnything" + } + ] + } + } +} \ No newline at end of file diff --git a/overlay-root/usr/etc/containers/registries.d/50-docker.yaml b/overlay-root/usr/etc/containers/registries.d/50-docker.yaml new file mode 100644 index 0000000..165a70b --- /dev/null +++ b/overlay-root/usr/etc/containers/registries.d/50-docker.yaml @@ -0,0 +1,3 @@ +docker: + ghcr.io/samhclark: + use-sigstore-attachments: true \ No newline at end of file diff --git a/cosign.pub b/overlay-root/usr/etc/pki/cosign/cosign.pub similarity index 100% rename from cosign.pub rename to overlay-root/usr/etc/pki/cosign/cosign.pub diff --git a/packages.json b/packages.json index 0e1cd00..474768f 100644 --- a/packages.json +++ b/packages.json @@ -86,10 +86,6 @@ "name": "gnome-software-rpm-ostree", "_comment": "Don't want to manage rom-ostree software from a GUI in the OS" }, - { - "name": "gnome-terminal-nautilus", - "_comment": "Don't want Gnome Terminal in the file browser" - }, { "name": "gnome-tour", "_comment": "Don't want the tour" @@ -108,4 +104,4 @@ } ] } - \ No newline at end of file +