From 0c1ae8a479112891883d2776bb1fe5f7878da5dc Mon Sep 17 00:00:00 2001 From: "Jorge O. Castro" Date: Thu, 20 Jul 2023 17:09:17 -0400 Subject: [PATCH] docs: switch to signed images (#130) * docs: switch to signed images * fix: update date ranges --- README.md | 22 +++++++++++----------- 1 file changed, 11 insertions(+), 11 deletions(-) diff --git a/README.md b/README.md index 38c037f..1fc015a 100644 --- a/README.md +++ b/README.md @@ -30,34 +30,34 @@ Note: The image previously titled "nvidia" will not be updated anymore. If you w [Silverblue (GNOME):](https://github.com/ublue-os/nvidia/pkgs/container/silverblue-nvidia) - rpm-ostree rebase ostree-unverified-registry:ghcr.io/ublue-os/silverblue-nvidia:latest + rpm-ostree rebase ostree-image-signed:docker://ghcr.io/ublue-os/silverblue-nvidia:latest [Kinoite (KDE):](https://github.com/ublue-os/nvidia/pkgs/container/kinoite-nvidia) - rpm-ostree rebase ostree-unverified-registry:ghcr.io/ublue-os/kinoite-nvidia:latest + rpm-ostree rebase ostree-image-signed:docker://ghcr.io/ublue-os/kinoite-nvidia:latest [LXQt (unofficial):](https://github.com/ublue-os/nvidia/pkgs/container/lxqt-nvidia) - rpm-ostree rebase ostree-unverified-registry:ghcr.io/ublue-os/lxqt-nvidia:latest + rpm-ostree rebase ostree-image-signed:docker://ghcr.io/ublue-os/lxqt-nvidia:latest [MATE (unofficial):](https://github.com/ublue-os/nvidia/pkgs/container/mate-nvidia) - rpm-ostree rebase ostree-unverified-registry:ghcr.io/ublue-os/mate-nvidia:latest + rpm-ostree rebase ostree-image-signed:docker://ghcr.io/ublue-os/mate-nvidia:latest [Vauxite (XFCE, unofficial):](https://github.com/ublue-os/nvidia/pkgs/container/vauxite-nvidia) - rpm-ostree rebase ostree-unverified-registry:ghcr.io/ublue-os/vauxite-nvidia:latest + rpm-ostree rebase ostree-image-signed:docker://ghcr.io/ublue-os/vauxite-nvidia:latest [Sericea (Sway, unofficial as of Fedora 38):](https://github.com/ublue-os/nvidia/pkgs/container/sericea-nvidia) Note: [The Sway session has some custom configuration options set to improve stability on Nvidia GPUs](https://github.com/ublue-os/nvidia/blob/main/files/etc/sway/environment) - rpm-ostree rebase ostree-unverified-registry:ghcr.io/ublue-os/sericea-nvidia:38 + rpm-ostree rebase ostree-image-signed:docker://ghcr.io/ublue-os/sericea-nvidia:38 [Base (no DE preinstalled):](https://github.com/ublue-os/nvidia/pkgs/container/base-nvidia) - rpm-ostree rebase ostree-unverified-registry:ghcr.io/ublue-os/base-nvidia:latest + rpm-ostree rebase ostree-image-signed:docker://ghcr.io/ublue-os/base-nvidia:latest And then reboot. @@ -96,12 +96,12 @@ Generally you can [perform a rollback](https://docs.fedoraproject.org/en-US/fedo To rebase onto a specific date, use a date tag: - rpm-ostree rebase ostree-unverified-registry:ghcr.io/ublue-os/silverblue-nvidia:20230128 + rpm-ostree rebase ostree-image-signed:docker://ghcr.io/ublue-os/silverblue-nvidia:20230720 Or to rebase onto a specific release, driver, and date: - rpm-ostree rebase ostree-unverified-registry:ghcr.io/ublue-os/silverblue-nvidia:37-525-20230128 - + rpm-ostree rebase ostree-image-signed:docker://ghcr.io/ublue-os/silverblue-nvidia:38-535-20230720 + [More options for image tags can be found on the container catalog.](https://github.com/ublue-os/nvidia/pkgs/container/silverblue-nvidia/versions) ## Support @@ -123,7 +123,7 @@ It is *strongly encouraged* for you to subscribe to [the Nvidia driver announcem These images are signed with sisgstore's [cosign](https://docs.sigstore.dev/cosign/overview/). You can verify the signature by downloading the `cosign.pub` key from this repo and running the following command: - cosign verify --key cosign.pub ghcr.io/ublue-os/base + cosign verify --key cosign.pub ghcr.io/ublue-os/silverblue-nvidia If you're forking this repo you should [read the docs](https://docs.github.com/en/actions/security-guides/encrypted-secrets) on keeping secrets in github. You need to [generate a new keypair](https://docs.sigstore.dev/cosign/overview/) with cosign. The public key can be in your public repo (your users need it to check the signatures), and you can paste the private key in Settings -> Secrets -> Actions with the name SIGNING_SECRET.