From d2c98237f414b826d84cbb3199e9a9707ac67124 Mon Sep 17 00:00:00 2001 From: gerblesh <101901964+gerblesh@users.noreply.github.com> Date: Thu, 20 Jul 2023 22:35:59 -0700 Subject: [PATCH 1/5] feat: add support for image signing --- Containerfile | 4 ++ scripts/build.sh | 5 ++ usr/etc/containers/policy.json | 74 +++++++++++++++++++++ usr/etc/containers/registries.d/cosign.yaml | 3 + 4 files changed, 86 insertions(+) create mode 100644 usr/etc/containers/policy.json create mode 100644 usr/etc/containers/registries.d/cosign.yaml diff --git a/Containerfile b/Containerfile index 2789d151ea..9fdfc65718 100644 --- a/Containerfile +++ b/Containerfile @@ -23,6 +23,10 @@ ARG RECIPE=./recipe.yml # for manual overrides and editing by the machine's admin AFTER installation! # See issue #28 (https://github.com/ublue-os/startingpoint/issues/28). COPY usr /usr +# Copy public key +COPY ./cosign.pub /usr/etc/pki/containers/cosign.pub +# Copy base signing config +COPY ./usr/etc/containers /usr/etc/ # Copy the recipe that we're building. COPY ${RECIPE} /usr/share/ublue-os/recipe.yml diff --git a/scripts/build.sh b/scripts/build.sh index e0d330a7a2..6795ae65b3 100644 --- a/scripts/build.sh +++ b/scripts/build.sh @@ -22,6 +22,11 @@ YAFTI_ENABLED="$(get_yaml_string '.firstboot.yafti')" # Welcome. echo "Building custom Fedora ${FEDORA_VERSION} from image: \"${BASE_IMAGE}\"." +# Setup container signing +echo "Setup container signing in policy.json and cosign.yaml" +sed -i "s ghcr.io/ublue-os $IMAGE_REGISTRY g" /usr/etc/containers/policy.json +sed -i "s ghcr.io/ublue-os $IMAGE_REGISTRY g" /usr/etc/containers/registries.d/cosign.yaml + # Add custom repos. get_yaml_array repos '.rpm.repos[]' if [[ ${#repos[@]} -gt 0 ]]; then diff --git a/usr/etc/containers/policy.json b/usr/etc/containers/policy.json new file mode 100644 index 0000000000..aa4e3ee162 --- /dev/null +++ b/usr/etc/containers/policy.json @@ -0,0 +1,74 @@ +{ + "default": [ + { + "type": "reject" + } + ], + "transports": { + "docker": { + "registry.access.redhat.com": [ + { + "type": "signedBy", + "keyType": "GPGKeys", + "keyPath": "/etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release" + } + ], + "registry.redhat.io": [ + { + "type": "signedBy", + "keyType": "GPGKeys", + "keyPath": "/etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release" + } + ], + "ghcr.io/ublue-os": [ + { + "type": "sigstoreSigned", + "keyPath": "/usr/etc/pki/containers/cosign.pub", + "signedIdentity": { + "type": "matchRepository" + } + } + ], + "": [ + { + "type": "insecureAcceptAnything" + } + ] + }, + "docker-daemon": { + "": [ + { + "type": "insecureAcceptAnything" + } + ] + }, + "atomic": { + "": [ + { + "type": "insecureAcceptAnything" + } + ] + }, + "dir": { + "": [ + { + "type": "insecureAcceptAnything" + } + ] + }, + "oci": { + "": [ + { + "type": "insecureAcceptAnything" + } + ] + }, + "tarball": { + "": [ + { + "type": "insecureAcceptAnything" + } + ] + } + } +} diff --git a/usr/etc/containers/registries.d/cosign.yaml b/usr/etc/containers/registries.d/cosign.yaml new file mode 100644 index 0000000000..24b197fa1a --- /dev/null +++ b/usr/etc/containers/registries.d/cosign.yaml @@ -0,0 +1,3 @@ +docker: + ghcr.io/ublue-os: + use-sigstore-attachments: true From 978bd6193cc2a6665044632781818724a2b395b0 Mon Sep 17 00:00:00 2001 From: gerblesh <101901964+gerblesh@users.noreply.github.com> Date: Fri, 21 Jul 2023 09:11:59 -0700 Subject: [PATCH 2/5] fix: fix build arguments --- .github/workflows/build.yml | 17 +++++++++-------- Containerfile | 8 ++++++-- scripts/build.sh | 1 + 3 files changed, 16 insertions(+), 10 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 62629261aa..5943fb9387 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -118,6 +118,14 @@ jobs: io.artifacthub.package.readme-url=https://raw.githubusercontent.com/ublue-os/startingpoint/main/README.md io.artifacthub.package.logo-url=https://avatars.githubusercontent.com/u/120078124?s=200&v=4 + # Workaround bug where capital letters in your GitHub username make it impossible to push to GHCR. + # https://github.com/macbre/push-to-ghcr/issues/12 + - name: Lowercase Registry + id: registry_case + uses: ASzc/change-string-case-action@v5 + with: + string: ${{ env.IMAGE_REGISTRY }} + # Build image using Buildah action - name: Build Image id: build_image @@ -132,17 +140,10 @@ jobs: FEDORA_MAJOR_VERSION=${{ env.FEDORA_MAJOR_VERSION }} BASE_IMAGE_URL=${{ env.BASE_IMAGE_URL }} RECIPE=${{ matrix.recipe }} + IMAGE_REGISTRY=${{ steps.registry_case.outputs.lowercase }} labels: ${{ steps.meta.outputs.labels }} oci: false - # Workaround bug where capital letters in your GitHub username make it impossible to push to GHCR. - # https://github.com/macbre/push-to-ghcr/issues/12 - - name: Lowercase Registry - id: registry_case - uses: ASzc/change-string-case-action@v5 - with: - string: ${{ env.IMAGE_REGISTRY }} - # Push the image to GHCR (Image Registry) - name: Push To GHCR uses: redhat-actions/push-to-registry@v2 diff --git a/Containerfile b/Containerfile index 9fdfc65718..c86846fcbe 100644 --- a/Containerfile +++ b/Containerfile @@ -15,6 +15,9 @@ FROM ${BASE_IMAGE_URL}:${FEDORA_MAJOR_VERSION} # so that `podman build` should just work for many people. ARG RECIPE=./recipe.yml +# The default image registry to write to policy.json and cosign.yaml +ARG IMAGE_REGISTRY=ghcr.io/ublue-os + # Copy static configurations and component files. # Warning: If you want to place anything in "/etc" of the final image, you MUST # place them in "./usr/etc" in your repo, so that they're written to "/usr/etc" @@ -23,10 +26,11 @@ ARG RECIPE=./recipe.yml # for manual overrides and editing by the machine's admin AFTER installation! # See issue #28 (https://github.com/ublue-os/startingpoint/issues/28). COPY usr /usr + # Copy public key -COPY ./cosign.pub /usr/etc/pki/containers/cosign.pub +COPY cosign.pub /usr/etc/pki/containers/cosign.pub # Copy base signing config -COPY ./usr/etc/containers /usr/etc/ +COPY usr/etc/containers /usr/etc/ # Copy the recipe that we're building. COPY ${RECIPE} /usr/share/ublue-os/recipe.yml diff --git a/scripts/build.sh b/scripts/build.sh index 6795ae65b3..b6d5ac6622 100644 --- a/scripts/build.sh +++ b/scripts/build.sh @@ -24,6 +24,7 @@ echo "Building custom Fedora ${FEDORA_VERSION} from image: \"${BASE_IMAGE}\"." # Setup container signing echo "Setup container signing in policy.json and cosign.yaml" +echo "Registry to write: $IMAGE_REGISTRY" sed -i "s ghcr.io/ublue-os $IMAGE_REGISTRY g" /usr/etc/containers/policy.json sed -i "s ghcr.io/ublue-os $IMAGE_REGISTRY g" /usr/etc/containers/registries.d/cosign.yaml From 8c57efe7a9a247fa063e60e0e5303228114a5b48 Mon Sep 17 00:00:00 2001 From: gerblesh <101901964+gerblesh@users.noreply.github.com> Date: Fri, 21 Jul 2023 09:54:14 -0700 Subject: [PATCH 3/5] docs: update Installation in README --- README.md | 16 ++++++++++++---- 1 file changed, 12 insertions(+), 4 deletions(-) diff --git a/README.md b/README.md index f2bbda91cc..717dccbde9 100644 --- a/README.md +++ b/README.md @@ -88,16 +88,24 @@ If you want to completely disable yafti, simply set the recipe's `firstboot.yaft To rebase an existing Silverblue/Kinoite installation to the latest build: -``` -sudo rpm-ostree rebase ostree-unverified-registry:ghcr.io/ublue-os/startingpoint:latest -``` +- First rebase to the image unsigned, to get the proper signing keys and policies installed: + ``` + sudo rpm-ostree rebase ostree-unverified-registry:ghcr.io/ublue-os/startingpoint:latest + ``` +- Then rebase to the signed image, like so: + ``` + sudo rpm-ostree rebase ostree-image-signed:docker://ghcr.io/ublue-os/startingpoint:latest + ``` + This repository builds date tags as well, so if you want to rebase to a particular day's build: ``` -sudo rpm-ostree rebase ostree-unverified-registry:ghcr.io/ublue-os/startingpoint:20230403 +sudo rpm-ostree rebase ostree-image-signed:docker://ghcr.io/ublue-os/startingpoint:20230403 ``` +This repository by default also supports signing + The `latest` tag will automatically point to the latest build. That build will still always use the Fedora version specified in `recipe.yml`, so you won't get accidentally updated to the next major version. ## Just From 723847b80327029aedec64104a7902e2430ec003 Mon Sep 17 00:00:00 2001 From: gerblesh <101901964+gerblesh@users.noreply.github.com> Date: Fri, 21 Jul 2023 10:04:34 -0700 Subject: [PATCH 4/5] docs: include more detailed steps in installation section --- README.md | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/README.md b/README.md index 717dccbde9..7e9a20572a 100644 --- a/README.md +++ b/README.md @@ -92,10 +92,18 @@ To rebase an existing Silverblue/Kinoite installation to the latest build: ``` sudo rpm-ostree rebase ostree-unverified-registry:ghcr.io/ublue-os/startingpoint:latest ``` +- Reboot to complete the rebase: + ``` + systemctl reboot + ``` - Then rebase to the signed image, like so: ``` sudo rpm-ostree rebase ostree-image-signed:docker://ghcr.io/ublue-os/startingpoint:latest ``` +- Reboot again to complete the installation + ``` + systemctl reboot + ``` This repository builds date tags as well, so if you want to rebase to a particular day's build: From 7502accfd3bab4818a90a78712d1902b96c33b3d Mon Sep 17 00:00:00 2001 From: gerblesh <101901964+gerblesh@users.noreply.github.com> Date: Fri, 21 Jul 2023 12:31:05 -0700 Subject: [PATCH 5/5] docs: remove unneeded verification section --- README.md | 7 ------- 1 file changed, 7 deletions(-) diff --git a/README.md b/README.md index 7e9a20572a..4c1245298f 100644 --- a/README.md +++ b/README.md @@ -147,10 +147,3 @@ After doing that, you'll be able to run the following commands: Check the [just website](https://just.systems) for tips on modifying and adding your own recipes. -## Verification - -These images are signed with sisgstore's [cosign](https://docs.sigstore.dev/cosign/overview/). You can verify the signature by downloading the `cosign.pub` key from this repo and running the following command: - - cosign verify --key cosign.pub ghcr.io/ublue-os/startingpoint - -If you're forking this repo, the uBlue website has [instructions](https://universal-blue.org/tinker/make-your-own/) for setting up signing properly.