Skip to content

Commit

Permalink
chore: modify signing module to respond to bluebuild changes (#116)
Browse files Browse the repository at this point in the history
  • Loading branch information
@RoyalOughtness
RoyalOughtness authored Jan 13, 2025
1 parent aef4ab9 commit 7652994
Show file tree
Hide file tree
Showing 5 changed files with 125 additions and 32 deletions.
2 changes: 1 addition & 1 deletion .github/workflows/build.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -75,7 +75,7 @@ jobs:
- name: Build wayblue
uses: blue-build/github-action@4d8b4df657ec923574611eec6fd7e959416c47f0 # v1.8.1
with:
cli_version: v0.9.0
cli_version: v0.9.2
recipe: ${{ matrix.recipe }}
cosign_private_key: ${{ secrets.SIGNING_SECRET }}
registry_token: ${{ github.token }}
Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/pull_request.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -45,7 +45,7 @@ jobs:
run: |
docker create \
--name blue-build-installer \
ghcr.io/blue-build/cli:v0.9.0-installer
ghcr.io/blue-build/cli:v0.9.2-installer
docker cp blue-build-installer:/out/bluebuild /usr/local/bin/bluebuild
docker rm blue-build-installer
bluebuild --version
Expand Down
125 changes: 102 additions & 23 deletions modules/wayblue-signing/policy.json
View file
Original file line number Diff line number Diff line change
@@ -1,25 +1,104 @@
{
"default": [
{
"type": "reject"
}
],
"transports": {
"docker": {
"registry.access.redhat.com": [
{
"type": "signedBy",
"keyType": "GPGKeys",
"keyPath": "/etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release"
}
],
"registry.redhat.io": [
{
"type": "signedBy",
"keyType": "GPGKeys",
"keyPath": "/etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release"
}
]
}
}
"default": [
{
"type": "reject"
}
],
"transports": {
"docker": {
"registry.access.redhat.com": [
{
"type": "signedBy",
"keyType": "GPGKeys",
"keyPath": "/usr/etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release"
}
],
"registry.redhat.io": [
{
"type": "signedBy",
"keyType": "GPGKeys",
"keyPath": "/usr/etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release"
}
],
"quay.io/toolbx-images": [
{
"type": "sigstoreSigned",
"keyPath": "/usr/etc/pki/containers/quay.io-toolbx-images.pub",
"signedIdentity": {
"type": "matchRepository"
}
}
],
"ghcr.io/ublue-os": [
{
"type": "sigstoreSigned",
"keyPath": "/usr/etc/pki/containers/ublue-os.pub",
"signedIdentity": {
"type": "matchRepository"
}
}
],
"": [
{
"type": "insecureAcceptAnything"
}
]
},
"docker-daemon": {
"": [
{
"type": "insecureAcceptAnything"
}
]
},
"atomic": {
"": [
{
"type": "insecureAcceptAnything"
}
]
},
"containers-storage": {
"": [
{
"type": "insecureAcceptAnything"
}
]
},
"dir": {
"": [
{
"type": "insecureAcceptAnything"
}
]
},
"oci": {
"": [
{
"type": "insecureAcceptAnything"
}
]
},
"oci-archive": {
"": [
{
"type": "insecureAcceptAnything"
}
]
},
"docker-archive": {
"": [
{
"type": "insecureAcceptAnything"
}
]
},
"tarball": {
"": [
{
"type": "insecureAcceptAnything"
}
]
}
}
}
0 modules/wayblue-signing/registry-config.yml → modules/wayblue-signing/registry-config.yaml
View file
File renamed without changes.
28 changes: 21 additions & 7 deletions modules/wayblue-signing/wayblue-signing.sh
View file
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,7 @@
set -euo pipefail

CONTAINER_DIR="/usr/etc/containers"
ETC_CONTAINER_DIR="/etc/containers"
MODULE_DIRECTORY="${MODULE_DIRECTORY:-"/tmp/modules"}"
IMAGE_NAME_FILE="${IMAGE_NAME//\//_}"
IMAGE_REGISTRY_TITLE=$(echo "$IMAGE_REGISTRY" | cut -d'/' -f2-)
Expand All @@ -15,22 +16,33 @@ if ! [ -d "$CONTAINER_DIR" ]; then
mkdir -p "$CONTAINER_DIR"
fi

if ! [ -d "$ETC_CONTAINER_DIR" ]; then
mkdir -p "$ETC_CONTAINER_DIR"
fi

if ! [ -d $CONTAINER_DIR/registries.d ]; then
mkdir -p "$CONTAINER_DIR/registries.d"
fi

if ! [ -d $ETC_CONTAINER_DIR/registries.d ]; then
mkdir -p "$ETC_CONTAINER_DIR/registries.d"
fi

if ! [ -d "/usr/etc/pki/containers" ]; then
mkdir -p "/usr/etc/pki/containers"
fi

if ! [ -f "$CONTAINER_DIR/policy.json" ]; then
cp "$MODULE_DIRECTORY/signing/policy.json" "$CONTAINER_DIR/policy.json"
if ! [ -d "/etc/pki/containers" ]; then
mkdir -p "/etc/pki/containers"
fi

cp "$MODULE_DIRECTORY/wayblue-signing/policy.json" $CONTAINER_DIR/policy.json
cp "$MODULE_DIRECTORY/wayblue-signing/policy.json" $ETC_CONTAINER_DIR/policy.json

# covering our bases here since /usr/etc is technically unsupported, reevaluate once bootc is the primary deployment tool
cp "/usr/etc/pki/containers/$IMAGE_NAME.pub" "/usr/etc/pki/containers/$IMAGE_REGISTRY_TITLE.pub"
cp "/usr/etc/pki/containers/$IMAGE_NAME.pub" "/etc/pki/containers/$IMAGE_REGISTRY_TITLE.pub"
rm "/usr/etc/pki/containers/$IMAGE_NAME.pub"
cp "/etc/pki/containers/$IMAGE_NAME.pub" "/usr/etc/pki/containers/$IMAGE_REGISTRY_TITLE.pub"
cp "/etc/pki/containers/$IMAGE_NAME.pub" "/etc/pki/containers/$IMAGE_REGISTRY_TITLE.pub"
rm "/etc/pki/containers/$IMAGE_NAME.pub"

POLICY_FILE="$CONTAINER_DIR/policy.json"

Expand All @@ -52,5 +64,7 @@ cp POLICY.tmp /usr/etc/containers/policy.json
cp POLICY.tmp /etc/containers/policy.json
rm POLICY.tmp

mv "$MODULE_DIRECTORY/signing/registry-config.yaml" "$CONTAINER_DIR/registries.d/$IMAGE_REGISTRY_TITLE.yaml"
sed -i "s ghcr.io/IMAGENAME $IMAGE_REGISTRY g" "$CONTAINER_DIR/registries.d/$IMAGE_REGISTRY_TITLE.yaml"
sed -i "s ghcr.io/IMAGENAME $IMAGE_REGISTRY g" "$MODULE_DIRECTORY/wayblue-signing/registry-config.yaml"
cp "$MODULE_DIRECTORY/wayblue-signing/registry-config.yaml" "$CONTAINER_DIR/registries.d/$IMAGE_REGISTRY_TITLE.yaml"
cp "$MODULE_DIRECTORY/wayblue-signing/registry-config.yaml" "$ETC_CONTAINER_DIR/registries.d/$IMAGE_REGISTRY_TITLE.yaml"
rm "$MODULE_DIRECTORY/wayblue-signing/registry-config.yaml"

0 comments on commit 7652994

Please sign in to comment.