feat: add signed image files

trust it's own signed image
ii · Feb 6, 2024 · 9003832 · 9003832
1 parent 9413332
commit 9003832
Show file tree

Hide file tree

Showing 6 changed files with 121 additions and 0 deletions.
diff --git a/Containerfile b/Containerfile
@@ -5,5 +5,7 @@ RUN rpm-ostree install \
  libvirt \
  && systemctl enable libvirtd.service \
  && systemctl disable zincati.service
+COPY cosign.pub /usr/etc/pki/containers/ii.pub
+COPY files /
 RUN rm -fr /tmp/* /var/* \
  && ostree container commit
diff --git a/README.md b/README.md
@@ -4,12 +4,22 @@
 
 ## Switching to the image
 
+reset to a clean state
 ```shell
 rpm-ostree reset
+```
+
+rebase to the image
+```shell
 rpm-ostree rebase ostree-unverified-registry:ghcr.io/ii/corehost/corehost:stable
 ```
 (as root)
 
+then rebase to the signed version
+```shell
+rpm-ostree rebase ostree-image-signed:docker://ghcr.io/ii/corehost/corehost:stable
+```
+
 ## Equinix Metal iPXE booting
 
 read [this doc](./equinix-metal-ipxe-boot/README.md)
diff --git a/files/etc/rpm-ostreed.conf b/files/etc/rpm-ostreed.conf
@@ -0,0 +1,7 @@
+# Entries in this file show the compile time defaults.
+# You can change settings by editing this file.
+# For option meanings, see rpm-ostreed.conf(5).
+
+[Daemon]
+AutomaticUpdatePolicy=stage
+#IdleExitTimeout=60
diff --git a/files/usr/etc/containers/policy.json b/files/usr/etc/containers/policy.json
@@ -0,0 +1,95 @@
+{
+ "default": [
+ {
+ "type": "reject"
+ }
+ ],
+ "transports": {
+ "docker": {
+ "registry.access.redhat.com": [
+ {
+ "type": "signedBy",
+ "keyType": "GPGKeys",
+ "keyPath": "/etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release"
+ }
+ ],
+ "registry.redhat.io": [
+ {
+ "type": "signedBy",
+ "keyType": "GPGKeys",
+ "keyPath": "/etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release"
+ }
+ ],
+ "ghcr.io/ii": [
+ {
+ "type": "sigstoreSigned",
+ "keyPath": "/usr/etc/pki/containers/ii.pub",
+ "signedIdentity": {
+ "type": "matchRepository"
+ }
+ }
+ ],
+ "": [
+ {
+ "type": "insecureAcceptAnything"
+ }
+ ]
+ },
+ "docker-daemon": {
+ "": [
+ {
+ "type": "insecureAcceptAnything"
+ }
+ ]
+ },
+ "atomic": {
+ "": [
+ {
+ "type": "insecureAcceptAnything"
+ }
+ ]
+ },
+ "containers-storage": {
+ "": [
+ {
+ "type": "insecureAcceptAnything"
+ }
+ ]
+ },
+ "dir": {
+ "": [
+ {
+ "type": "insecureAcceptAnything"
+ }
+ ]
+ },
+ "oci": {
+ "": [
+ {
+ "type": "insecureAcceptAnything"
+ }
+ ]
+ },
+ "oci-archive": {
+ "": [
+ {
+ "type": "insecureAcceptAnything"
+ }
+ ]
+ },
+ "docker-archive": {
+ "": [
+ {
+ "type": "insecureAcceptAnything"
+ }
+ ]
+ },
+ "tarball": {
+ "": [
+ {
+ "type": "insecureAcceptAnything"
+ }
+ ]
+ }
+ }
+}
diff --git a/files/usr/etc/containers/registries.d/ublue-os.yaml b/files/usr/etc/containers/registries.d/ublue-os.yaml
@@ -0,0 +1,3 @@
+docker:
+ ghcr.io/ii:
+ use-sigstore-attachments: true
diff --git a/files/usr/etc/pki/containers/ublue-os.pub b/files/usr/etc/pki/containers/ublue-os.pub
@@ -0,0 +1,4 @@
+-----BEGIN PUBLIC KEY-----
+MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE7lh7fJMV4dBT2jT1XafixUJa7OVA
+cT+QFVD8IfIJIS/KBAc8hx1aslzkH3tfeM0cwyCLB7kOStZ4sh6RyFQD9w==
+-----END PUBLIC KEY-----