diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 3c48ba32..3f81bab3 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -75,7 +75,7 @@ jobs: - name: Build wayblue uses: blue-build/github-action@4d8b4df657ec923574611eec6fd7e959416c47f0 # v1.8.1 with: - cli_version: v0.9.0 + cli_version: v0.9.2 recipe: ${{ matrix.recipe }} cosign_private_key: ${{ secrets.SIGNING_SECRET }} registry_token: ${{ github.token }} diff --git a/.github/workflows/pull_request.yml b/.github/workflows/pull_request.yml index 5284d329..909dc537 100644 --- a/.github/workflows/pull_request.yml +++ b/.github/workflows/pull_request.yml @@ -45,7 +45,7 @@ jobs: run: | docker create \ --name blue-build-installer \ - ghcr.io/blue-build/cli:v0.9.0-installer + ghcr.io/blue-build/cli:v0.9.2-installer docker cp blue-build-installer:/out/bluebuild /usr/local/bin/bluebuild docker rm blue-build-installer bluebuild --version diff --git a/modules/wayblue-signing/policy.json b/modules/wayblue-signing/policy.json index 3b3ed887..21473af7 100644 --- a/modules/wayblue-signing/policy.json +++ b/modules/wayblue-signing/policy.json @@ -1,25 +1,104 @@ { - "default": [ - { - "type": "reject" - } - ], - "transports": { - "docker": { - "registry.access.redhat.com": [ - { - "type": "signedBy", - "keyType": "GPGKeys", - "keyPath": "/etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release" - } - ], - "registry.redhat.io": [ - { - "type": "signedBy", - "keyType": "GPGKeys", - "keyPath": "/etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release" - } - ] - } - } + "default": [ + { + "type": "reject" + } + ], + "transports": { + "docker": { + "registry.access.redhat.com": [ + { + "type": "signedBy", + "keyType": "GPGKeys", + "keyPath": "/usr/etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release" + } + ], + "registry.redhat.io": [ + { + "type": "signedBy", + "keyType": "GPGKeys", + "keyPath": "/usr/etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release" + } + ], + "quay.io/toolbx-images": [ + { + "type": "sigstoreSigned", + "keyPath": "/usr/etc/pki/containers/quay.io-toolbx-images.pub", + "signedIdentity": { + "type": "matchRepository" + } + } + ], + "ghcr.io/ublue-os": [ + { + "type": "sigstoreSigned", + "keyPath": "/usr/etc/pki/containers/ublue-os.pub", + "signedIdentity": { + "type": "matchRepository" + } + } + ], + "": [ + { + "type": "insecureAcceptAnything" + } + ] + }, + "docker-daemon": { + "": [ + { + "type": "insecureAcceptAnything" + } + ] + }, + "atomic": { + "": [ + { + "type": "insecureAcceptAnything" + } + ] + }, + "containers-storage": { + "": [ + { + "type": "insecureAcceptAnything" + } + ] + }, + "dir": { + "": [ + { + "type": "insecureAcceptAnything" + } + ] + }, + "oci": { + "": [ + { + "type": "insecureAcceptAnything" + } + ] + }, + "oci-archive": { + "": [ + { + "type": "insecureAcceptAnything" + } + ] + }, + "docker-archive": { + "": [ + { + "type": "insecureAcceptAnything" + } + ] + }, + "tarball": { + "": [ + { + "type": "insecureAcceptAnything" + } + ] + } + } } \ No newline at end of file diff --git a/modules/wayblue-signing/registry-config.yml b/modules/wayblue-signing/registry-config.yaml similarity index 100% rename from modules/wayblue-signing/registry-config.yml rename to modules/wayblue-signing/registry-config.yaml diff --git a/modules/wayblue-signing/wayblue-signing.sh b/modules/wayblue-signing/wayblue-signing.sh index 54908ede..6132db0d 100644 --- a/modules/wayblue-signing/wayblue-signing.sh +++ b/modules/wayblue-signing/wayblue-signing.sh @@ -4,6 +4,7 @@ set -euo pipefail CONTAINER_DIR="/usr/etc/containers" +ETC_CONTAINER_DIR="/etc/containers" MODULE_DIRECTORY="${MODULE_DIRECTORY:-"/tmp/modules"}" IMAGE_NAME_FILE="${IMAGE_NAME//\//_}" IMAGE_REGISTRY_TITLE=$(echo "$IMAGE_REGISTRY" | cut -d'/' -f2-) @@ -15,22 +16,33 @@ if ! [ -d "$CONTAINER_DIR" ]; then mkdir -p "$CONTAINER_DIR" fi +if ! [ -d "$ETC_CONTAINER_DIR" ]; then + mkdir -p "$ETC_CONTAINER_DIR" +fi + if ! [ -d $CONTAINER_DIR/registries.d ]; then mkdir -p "$CONTAINER_DIR/registries.d" fi +if ! [ -d $ETC_CONTAINER_DIR/registries.d ]; then + mkdir -p "$ETC_CONTAINER_DIR/registries.d" +fi + if ! [ -d "/usr/etc/pki/containers" ]; then mkdir -p "/usr/etc/pki/containers" fi -if ! [ -f "$CONTAINER_DIR/policy.json" ]; then - cp "$MODULE_DIRECTORY/signing/policy.json" "$CONTAINER_DIR/policy.json" +if ! [ -d "/etc/pki/containers" ]; then + mkdir -p "/etc/pki/containers" fi +cp "$MODULE_DIRECTORY/wayblue-signing/policy.json" $CONTAINER_DIR/policy.json +cp "$MODULE_DIRECTORY/wayblue-signing/policy.json" $ETC_CONTAINER_DIR/policy.json + # covering our bases here since /usr/etc is technically unsupported, reevaluate once bootc is the primary deployment tool -cp "/usr/etc/pki/containers/$IMAGE_NAME.pub" "/usr/etc/pki/containers/$IMAGE_REGISTRY_TITLE.pub" -cp "/usr/etc/pki/containers/$IMAGE_NAME.pub" "/etc/pki/containers/$IMAGE_REGISTRY_TITLE.pub" -rm "/usr/etc/pki/containers/$IMAGE_NAME.pub" +cp "/etc/pki/containers/$IMAGE_NAME.pub" "/usr/etc/pki/containers/$IMAGE_REGISTRY_TITLE.pub" +cp "/etc/pki/containers/$IMAGE_NAME.pub" "/etc/pki/containers/$IMAGE_REGISTRY_TITLE.pub" +rm "/etc/pki/containers/$IMAGE_NAME.pub" POLICY_FILE="$CONTAINER_DIR/policy.json" @@ -52,5 +64,7 @@ cp POLICY.tmp /usr/etc/containers/policy.json cp POLICY.tmp /etc/containers/policy.json rm POLICY.tmp -mv "$MODULE_DIRECTORY/signing/registry-config.yaml" "$CONTAINER_DIR/registries.d/$IMAGE_REGISTRY_TITLE.yaml" -sed -i "s ghcr.io/IMAGENAME $IMAGE_REGISTRY g" "$CONTAINER_DIR/registries.d/$IMAGE_REGISTRY_TITLE.yaml" +sed -i "s ghcr.io/IMAGENAME $IMAGE_REGISTRY g" "$MODULE_DIRECTORY/wayblue-signing/registry-config.yaml" +cp "$MODULE_DIRECTORY/wayblue-signing/registry-config.yaml" "$CONTAINER_DIR/registries.d/$IMAGE_REGISTRY_TITLE.yaml" +cp "$MODULE_DIRECTORY/wayblue-signing/registry-config.yaml" "$ETC_CONTAINER_DIR/registries.d/$IMAGE_REGISTRY_TITLE.yaml" +rm "$MODULE_DIRECTORY/wayblue-signing/registry-config.yaml" \ No newline at end of file