Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

cmd-build: Enable composeFS signing #3813

Draft
wants to merge 1 commit into
base: main
Choose a base branch
from
Draft
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
22 changes: 21 additions & 1 deletion src/cmd-build
Original file line number Diff line number Diff line change
Expand Up @@ -38,6 +38,8 @@ Usage: coreos-assembler build --help
--autolock=VERSION If no base lockfile used, create one from any arch build of `VERSION`.
Note this is automatically enabled when adding to an existing multi-arch
non-strict build.
--sign-composefs Sign the composeFS metadata and attach the signature to the OSTree commit.
This will also insert the public key into the rootfs for signature verification.

Additional environment variables supported:

Expand All @@ -62,8 +64,9 @@ TAG=
STRICT=
CONFIG_ARCHIVE=1
AUTOLOCK_VERSION=
SIGN_COMPOSEFS=
rc=0
options=$(getopt --options hfFt: --longoptions tag:,help,fetch,force,version:,parent:,parent-build:,delay-meta-merge,force-nocache,force-image,skip-prune,prepare-only,strict,skip-config-archive,autolock:,versionary -- "$@") || rc=$?
options=$(getopt --options hfFt: --longoptions tag:,help,fetch,force,version:,parent:,parent-build:,delay-meta-merge,force-nocache,force-image,skip-prune,prepare-only,strict,skip-config-archive,autolock:,versionary,sign-composefs -- "$@") || rc=$?
[ $rc -eq 0 ] || {
print_help
exit 1
Expand Down Expand Up @@ -123,6 +126,9 @@ while true; do
shift
TAG=$1
;;
--sign-composefs)
SIGN_COMPOSEFS=true
;;
--)
shift
break
Expand Down Expand Up @@ -257,6 +263,11 @@ if [ -n "${PARENT_BUILD}" ]; then
fi
fi

# If composeFS signing is enabled, generate the signature key
if test -n "${SIGN_COMPOSEFS}"; then
gen_ed25519_signing_key
fi

# Calculate image input checksum now and gather previous image build variables if any
ks_path="${configdir}"/image.ks
if [ -f "${ks_path}" ]; then
Expand Down Expand Up @@ -448,6 +459,15 @@ echo "New build ID: ${buildid}"
# Also write out a ref with the build ID
ostree --repo="${tmprepo}" refs --create "${buildid}" "${commit}"

#Not sure if we need to add --generate-composefs-metadata as I couldn't find
# any references in ostree man pages.
# is is default since https://github.com/coreos/rpm-ostree/pull/4495/commits/dbe78217c0205dad372c84b2cf0a299003787952 ?

# If composeFS signing is enabled, sign the last commit
if test -n "${SIGN_COMPOSEFS}"; then
ostree sign --keys-file ${TMPDIR}/cosa_key.ed25519 ${commit} --repo=${tmprepo}
fi

"${dn}"/write-commit-object "${tmprepo}" "${commit}" "$(pwd)"

build_timestamp=$(date -u +$RFC3339)
Expand Down
19 changes: 19 additions & 0 deletions src/cmdlib.sh
Original file line number Diff line number Diff line change
Expand Up @@ -1102,3 +1102,22 @@ extract_osrelease_name() {
# shellcheck disable=SC1091,SC2153
(. "$out/os-release" && echo "${NAME}")
}


gen_ed25519_signing_key() {
local key_file="${1:-cosa_key}"
# Generate the key
openssl genpkey -algorithm ed25519 -outform PEM -out ${TMPDIR}/${key_file}

# Extract the pubkey
PUBKEY="$(openssl pkey -outform DER -pubout -in ${TMPDIR}/${key_file} | tail -c 32 | base64)"

## write the pubkey in overrides
echo $PUBKEY > ${workdir}/overrides/rootfs/etc/ostree/initramfs-root-binding.key
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This should probably be

Suggested change
echo $PUBKEY > ${workdir}/overrides/rootfs/etc/ostree/initramfs-root-binding.key
mkdir -p ${workdir}/overrides/initramfs/etc/ostree
echo $PUBKEY > ${workdir}/overrides/initramfs/etc/ostree/initramfs-root-binding.key


# Convert the private key to base64 for ostree signing
## Extract the seed
SEED="$(openssl pkey -outform DER -in ${TMPDIR}/${key_file} | tail -c 32 | base64)"
## Secret key is the concatenation of SEED and PUBLIC
echo ${SEED}${PUBKEY} | base64 -d | base64 -w 0 > ${TMPDIR}/${key_file}.ed25519
}
Loading