From 577b9b2c1942aebcb5057f2e3cd807f23d095ceb Mon Sep 17 00:00:00 2001 From: Brian Beatty Date: Mon, 6 May 2024 10:41:49 -0500 Subject: [PATCH] feat: update signing key --- .github/workflows/reusable-build.yml | 15 ++++++++------- Containerfile | 10 +++++----- cosign.pub | 4 ++-- 3 files changed, 15 insertions(+), 14 deletions(-) diff --git a/.github/workflows/reusable-build.yml b/.github/workflows/reusable-build.yml index cd120b35..69aa65c1 100644 --- a/.github/workflows/reusable-build.yml +++ b/.github/workflows/reusable-build.yml @@ -28,8 +28,8 @@ jobs: - ${{ inputs.fedora_version }} kernel_flavor: - main - - asus - - surface + # - asus + # - surface image_name: - silverblue - kinoite @@ -150,12 +150,13 @@ jobs: with: containers: ${{ env.SOURCE_IMAGE }}:${{ matrix.fedora_version }} registry: ${{ env.IMAGE_REGISTRY }} + pubkey: https://raw.githubusercontent.com/bpbeatty/hwe/main/cosign.pub - name: Verify akmods-nvidia image uses: EyeCantCU/cosign-action/verify@v0.2.2 with: containers: akmods-nvidia:${{ matrix.kernel_flavor}}-${{ matrix.fedora_version }} - registry: ${{ env.IMAGE_REGISTRY }} + registry: ghcr.io/ublue-os - name: Pull main and akmods-nvidia images uses: Wandalen/wretry.action@v3.4.0 @@ -166,7 +167,7 @@ jobs: # pull the base image used for FROM in containerfile so # we can retry on that unfortunately common failure case podman pull ${{ env.IMAGE_REGISTRY }}/${{ env.SOURCE_IMAGE }}:${{ matrix.fedora_version }} - podman pull ${{ env.IMAGE_REGISTRY }}/akmods-nvidia:${{ matrix.kernel_flavor }}-${{ matrix.fedora_version }} + podman pull ghcr.io/ublue-os/akmods-nvidia:${{ matrix.kernel_flavor }}-${{ matrix.fedora_version }} - name: Get current version id: labels @@ -176,7 +177,7 @@ jobs: attempt_delay: 15000 command: | set -eo pipefail - skopeo inspect docker://${{ env.IMAGE_REGISTRY }}/${{ env.SOURCE_IMAGE }}:${{ matrix.fedora_version }} > source.json + skopeo inspect docker://ghcr.io/ublue-os/${{ env.SOURCE_IMAGE }}:${{ matrix.fedora_version }} > source.json ver=$(jq -r '.Labels["org.opencontainers.image.version"]' source.json) if [ -z "$ver" ] || [ "null" = "$ver" ]; then echo "inspected image version must not be empty or null" @@ -184,7 +185,7 @@ jobs: fi echo "SOURCE_IMAGE_VERSION=$ver" >> $GITHUB_ENV - skopeo inspect docker://${{ env.IMAGE_REGISTRY }}/akmods-nvidia:${{ matrix.kernel_flavor }}-${{ matrix.fedora_version }} > akmods.json + skopeo inspect docker://ghcr.io/ublue-os/akmods-nvidia:${{ matrix.kernel_flavor }}-${{ matrix.fedora_version }} > akmods.json linux=$(jq -r '.Labels["ostree.linux"]' akmods.json) if [ -z "$linux" ] || [ "null" = "$linux" ]; then echo "inspected image linux version must not be empty or null" @@ -201,7 +202,7 @@ jobs: ${{ env.IMAGE_NAME }} labels: | org.opencontainers.image.title=${{ env.IMAGE_NAME }} - org.opencontainers.image.description=ublue-os ${{ matrix.image_name }}${{ matrix.kernel_flavor == 'asus' && ' for ASUS devices' || '' }}${{ matrix.kernel_flavor == 'surface' && ' for Surface laptops' || ''}}${{ matrix.image_target == 'nvidia' && ' with Nvidia drivers' || ''}} + org.opencontainers.image.description=bpbeatty ${{ matrix.image_name }}${{ matrix.kernel_flavor == 'asus' && ' for ASUS devices' || '' }}${{ matrix.kernel_flavor == 'surface' && ' for Surface laptops' || ''}}${{ matrix.image_target == 'nvidia' && ' with Nvidia drivers' || ''}} org.opencontainers.image.version=${{ env.SOURCE_IMAGE_VERSION }} ostree.linux=${{ env.KERNEL_VERSION }} io.artifacthub.package.readme-url=https://raw.githubusercontent.com/${{ github.repository }}/main/README.md diff --git a/Containerfile b/Containerfile index cc133884..b3b5fce1 100644 --- a/Containerfile +++ b/Containerfile @@ -1,6 +1,6 @@ ARG IMAGE_NAME="${IMAGE_NAME:-silverblue}" ARG SOURCE_IMAGE="${SOURCE_IMAGE:-silverblue-main}" -ARG SOURCE_ORG="${SOURCE_ORG:-ublue-os}" +ARG SOURCE_ORG="${SOURCE_ORG:-bpbeatty}" ARG BASE_IMAGE="ghcr.io/${SOURCE_ORG}/${SOURCE_IMAGE}" ARG FEDORA_MAJOR_VERSION="${FEDORA_MAJOR_VERSION:-40}" @@ -9,7 +9,7 @@ FROM ${BASE_IMAGE}:${FEDORA_MAJOR_VERSION} AS main ARG FEDORA_MAJOR_VERSION="${FEDORA_MAJOR_VERSION:-40}" ARG KERNEL_FLAVOR="${KERNEL_FLAVOR:-main}" ARG IMAGE_NAME="${IMAGE_NAME:-silverblue}" -ARG IMAGE_VENDOR="${IMAGE_VENDOR:-ublue-os}" +ARG IMAGE_VENDOR="${IMAGE_VENDOR:-bpbeatty}" ARG RPMFUSION_MIRROR="" COPY *.sh /tmp/ @@ -27,14 +27,14 @@ RUN mkdir -p /var/lib/alternatives && \ FROM main AS nvidia -ARG SOURCE_ORG="${SOURCE_ORG:-ublue-os}" +ARG SOURCE_ORG="${SOURCE_ORG:-bpbeatty}" ARG FEDORA_MAJOR_VERSION="${FEDORA_MAJOR_VERSION:-40}" ARG KERNEL_FLAVOR="${KERNEL_FLAVOR:-main}" ARG IMAGE_NAME="${IMAGE_NAME:-silverblue}" -ARG IMAGE_VENDOR="${IMAGE_VENDOR:-ublue-os}" +ARG IMAGE_VENDOR="${IMAGE_VENDOR:-bpbeatty}" ARG RPMFUSION_MIRROR="" -COPY --from=ghcr.io/${SOURCE_ORG}/akmods-nvidia:${KERNEL_FLAVOR}-${FEDORA_MAJOR_VERSION} /rpms /tmp/akmods-rpms +COPY --from=ghcr.io/ublue-os/akmods-nvidia:${KERNEL_FLAVOR}-${FEDORA_MAJOR_VERSION} /rpms /tmp/akmods-rpms COPY *.sh /tmp/ diff --git a/cosign.pub b/cosign.pub index f9482c42..0bbb8580 100644 --- a/cosign.pub +++ b/cosign.pub @@ -1,4 +1,4 @@ -----BEGIN PUBLIC KEY----- -MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE7lh7fJMV4dBT2jT1XafixUJa7OVA -cT+QFVD8IfIJIS/KBAc8hx1aslzkH3tfeM0cwyCLB7kOStZ4sh6RyFQD9w== +MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEKzG40GDYzK/xo3Fd+NcNiuBqqZKW +QdbqTzIfNWjYwJH1KJAPpvvb5Ok+9o/vwjQRRuBqjvi9iKio+JHdEpzXjA== -----END PUBLIC KEY-----