diff --git a/README-uBlue.md b/README-uBlue.md index f2bbda91cc..4c1245298f 100644 --- a/README-uBlue.md +++ b/README-uBlue.md @@ -88,16 +88,32 @@ If you want to completely disable yafti, simply set the recipe's `firstboot.yaft To rebase an existing Silverblue/Kinoite installation to the latest build: -``` -sudo rpm-ostree rebase ostree-unverified-registry:ghcr.io/ublue-os/startingpoint:latest -``` +- First rebase to the image unsigned, to get the proper signing keys and policies installed: + ``` + sudo rpm-ostree rebase ostree-unverified-registry:ghcr.io/ublue-os/startingpoint:latest + ``` +- Reboot to complete the rebase: + ``` + systemctl reboot + ``` +- Then rebase to the signed image, like so: + ``` + sudo rpm-ostree rebase ostree-image-signed:docker://ghcr.io/ublue-os/startingpoint:latest + ``` +- Reboot again to complete the installation + ``` + systemctl reboot + ``` + This repository builds date tags as well, so if you want to rebase to a particular day's build: ``` -sudo rpm-ostree rebase ostree-unverified-registry:ghcr.io/ublue-os/startingpoint:20230403 +sudo rpm-ostree rebase ostree-image-signed:docker://ghcr.io/ublue-os/startingpoint:20230403 ``` +This repository by default also supports signing + The `latest` tag will automatically point to the latest build. That build will still always use the Fedora version specified in `recipe.yml`, so you won't get accidentally updated to the next major version. ## Just @@ -131,10 +147,3 @@ After doing that, you'll be able to run the following commands: Check the [just website](https://just.systems) for tips on modifying and adding your own recipes. -## Verification - -These images are signed with sisgstore's [cosign](https://docs.sigstore.dev/cosign/overview/). You can verify the signature by downloading the `cosign.pub` key from this repo and running the following command: - - cosign verify --key cosign.pub ghcr.io/ublue-os/startingpoint - -If you're forking this repo, the uBlue website has [instructions](https://universal-blue.org/tinker/make-your-own/) for setting up signing properly.