Skip to content

Commit

Permalink
Include the config files in the image
Browse files Browse the repository at this point in the history 
This is to allow a two-stage rebase which bootstraps things a little
easier.
  • Loading branch information
@samhclark
samhclark committed Nov 8, 2024
1 parent 8604af5 commit 05c749a
Show file tree
Hide file tree
Showing 5 changed files with 96 additions and 34 deletions.
3 changes: 1 addition & 2 deletions Containerfile
View file
Original file line number Diff line number Diff line change
@@ -1,8 +1,7 @@
ARG silverblue_version=41
FROM quay.io/fedora-ostree-desktops/silverblue:${silverblue_version}

COPY cosign.pub /etc/pki/cosign/cosign.pub
COPY overlay-root/etc/ /etc/
COPY overlay-root/ /

RUN mkdir -p /var/opt \
&& mkdir -p /usr/lib/opt/google \
Expand Down
38 changes: 6 additions & 32 deletions README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -4,44 +4,18 @@ Following Jorge Castro's lead and making my own spin on Silverblue

## Rebasing onto this image

From a normal Silverblue install, or the previous `:40` version, you can rebase onto this image.
From another Silverblue based image, first, rebase onto the unsigned image.

The image is signed.
Bootstrap the process by downloading the cosign public key for verification.

```
mkdir -p /etc/pki/cosign
wget -O /etc/pki/cosign/cosign.pub https://raw.githubusercontent.com/samhclark/custom-silverblue/refs/heads/main/cosign.pub
printf '55e391488bbbfe28209e09963edf38a612e306572b2dd72bbcc97402690ff000 /etc/pki/cosign/cosign.pub' | sha256sum --check -
chmod 555 /etc/pki/cosign
chmod 444 /etc/pki/cosign/cosign.pub
sudo chattr +i /etc/pki/cosign/cosign.pub
```

Edit your existing `/etc/containers/policy.json` to include a section like this:

```json
{
"transports": {
"docker": {
"ghcr.io/samhclark/custom-silverblue:40": [{"type": "insecureAcceptAnything"}],
"ghcr.io/samhclark/custom-silverblue": [
{
"type": "sigstoreSigned",
"keyPath": "/etc/pki/cosign/cosign.pub",
"signedIdentity": "exactRepository",
"dockerRepository": "ghcr.io/samhclark/custom-silverblue"
}
]
}
}
}
rpm-ostree rebase ostree-unverified-registry:ghcr.io/samhclark/custom-silverblue:41
```

Then, it's time to rebase
Then, after that, rebase onto the signed image.
This bootstrapping process helps get the public keys onto your machine
and makes sure everything is configured right.

```
rpm-ostree rebase ostree-image-signed:registry:ghcr.io/samhclark/custom-silverblue:41
rpm-ostree rebase ostree-image-signed:docker://ghcr.io/samhclark/custom-silverblue:41
```

## Google Linux Signing Keys
Expand Down
86 changes: 86 additions & 0 deletions overlay-root/usr/etc/containers/policy.json
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,86 @@
{
"default": [
{
"type": "reject"
}
],
"transports": {
"docker": {
"ghcr.io/samhclark/custom-silverblue:40": [
{
"type": "insecureAcceptAnything"
}
],
"ghcr.io/samhclark": [
{
"type": "sigstoreSigned",
"keyPath": "/etc/pki/cosign/cosign.pub",
"signedIdentity": {
"type": "matchRepository"
}
}
],
"": [
{
"type": "insecureAcceptAnything"
}
]
},
"docker-daemon": {
"": [
{
"type": "insecureAcceptAnything"
}
]
},
"atomic": {
"": [
{
"type": "insecureAcceptAnything"
}
]
},
"containers-storage": {
"": [
{
"type": "insecureAcceptAnything"
}
]
},
"dir": {
"": [
{
"type": "insecureAcceptAnything"
}
]
},
"oci": {
"": [
{
"type": "insecureAcceptAnything"
}
]
},
"oci-archive": {
"": [
{
"type": "insecureAcceptAnything"
}
]
},
"docker-archive": {
"": [
{
"type": "insecureAcceptAnything"
}
]
},
"tarball": {
"": [
{
"type": "insecureAcceptAnything"
}
]
}
}
}
3 changes: 3 additions & 0 deletions overlay-root/usr/etc/containers/registries.d/50-docker.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,3 @@
docker:
ghcr.io/samhclark:
use-sigstore-attachments: true
0 cosign.pub → overlay-root/usr/etc/pki/cosign/cosign.pub
View file
File renamed without changes.

0 comments on commit 05c749a

Please sign in to comment.