From 900383244bdee3f5e810e1274d20b0506d157b12 Mon Sep 17 00:00:00 2001
From: Caleb Woodbine <calebwoodbine.public@gmail.com>
Date: Tue, 6 Feb 2024 13:42:32 +1300
Subject: [PATCH] feat: add signed image files

trust it's own signed image
---
 Containerfile                                 |  2 +
 README.md                                     | 10 ++
 files/etc/rpm-ostreed.conf                    |  7 ++
 files/usr/etc/containers/policy.json          | 95 +++++++++++++++++++
 .../etc/containers/registries.d/ublue-os.yaml |  3 +
 files/usr/etc/pki/containers/ublue-os.pub     |  4 +
 6 files changed, 121 insertions(+)
 create mode 100644 files/etc/rpm-ostreed.conf
 create mode 100644 files/usr/etc/containers/policy.json
 create mode 100644 files/usr/etc/containers/registries.d/ublue-os.yaml
 create mode 100644 files/usr/etc/pki/containers/ublue-os.pub

diff --git a/Containerfile b/Containerfile
index 70e3ae9..3303445 100644
--- a/Containerfile
+++ b/Containerfile
@@ -5,5 +5,7 @@ RUN rpm-ostree install \
       libvirt \
     && systemctl enable libvirtd.service \
     && systemctl disable zincati.service
+COPY cosign.pub /usr/etc/pki/containers/ii.pub
+COPY files /
 RUN rm -fr /tmp/* /var/* \
     && ostree container commit
diff --git a/README.md b/README.md
index 98e2fc2..6f3e1a0 100644
--- a/README.md
+++ b/README.md
@@ -4,12 +4,22 @@
 
 ## Switching to the image
 
+reset to a clean state
 ```shell
 rpm-ostree reset
+```
+
+rebase to the image
+```shell
 rpm-ostree rebase ostree-unverified-registry:ghcr.io/ii/corehost/corehost:stable
 ```
 (as root)
 
+then rebase to the signed version
+```shell
+rpm-ostree rebase ostree-image-signed:docker://ghcr.io/ii/corehost/corehost:stable
+```
+
 ## Equinix Metal iPXE booting
 
 read [this doc](./equinix-metal-ipxe-boot/README.md)
diff --git a/files/etc/rpm-ostreed.conf b/files/etc/rpm-ostreed.conf
new file mode 100644
index 0000000..aa5106e
--- /dev/null
+++ b/files/etc/rpm-ostreed.conf
@@ -0,0 +1,7 @@
+# Entries in this file show the compile time defaults.
+# You can change settings by editing this file.
+# For option meanings, see rpm-ostreed.conf(5).
+
+[Daemon]
+AutomaticUpdatePolicy=stage
+#IdleExitTimeout=60
diff --git a/files/usr/etc/containers/policy.json b/files/usr/etc/containers/policy.json
new file mode 100644
index 0000000..07eb16e
--- /dev/null
+++ b/files/usr/etc/containers/policy.json
@@ -0,0 +1,95 @@
+{
+    "default": [
+        {
+            "type": "reject"
+        }
+    ],
+    "transports": {
+        "docker": {
+            "registry.access.redhat.com": [
+                {
+                    "type": "signedBy",
+                    "keyType": "GPGKeys",
+                    "keyPath": "/etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release"
+                }
+            ],
+            "registry.redhat.io": [
+                {
+                    "type": "signedBy",
+                    "keyType": "GPGKeys",
+                    "keyPath": "/etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release"
+                }
+            ],
+            "ghcr.io/ii": [
+                {
+                    "type": "sigstoreSigned",
+                    "keyPath": "/usr/etc/pki/containers/ii.pub",
+                    "signedIdentity": {
+                        "type": "matchRepository"
+                    }
+                }
+            ],
+            "": [
+                {
+                    "type": "insecureAcceptAnything"
+                }
+            ]
+        },
+        "docker-daemon": {
+            "": [
+                {
+                    "type": "insecureAcceptAnything"
+                }
+            ]
+        },
+        "atomic": {
+            "": [
+                {
+                    "type": "insecureAcceptAnything"
+                }
+            ]
+        },
+        "containers-storage": {
+            "": [
+                {
+                    "type": "insecureAcceptAnything"
+                }
+            ]
+        },
+        "dir": {
+            "": [
+                {
+                    "type": "insecureAcceptAnything"
+                }
+            ]
+        },
+        "oci": {
+            "": [
+                {
+                    "type": "insecureAcceptAnything"
+                }
+            ]
+        },
+        "oci-archive": {
+            "": [
+                {
+                    "type": "insecureAcceptAnything"
+                }
+            ]
+        },
+        "docker-archive": {
+            "": [
+                {
+                    "type": "insecureAcceptAnything"
+                }
+            ]
+        },
+        "tarball": {
+            "": [
+                {
+                    "type": "insecureAcceptAnything"
+                }
+            ]
+        }
+    }
+}
diff --git a/files/usr/etc/containers/registries.d/ublue-os.yaml b/files/usr/etc/containers/registries.d/ublue-os.yaml
new file mode 100644
index 0000000..12a3049
--- /dev/null
+++ b/files/usr/etc/containers/registries.d/ublue-os.yaml
@@ -0,0 +1,3 @@
+docker:
+  ghcr.io/ii:
+    use-sigstore-attachments: true
diff --git a/files/usr/etc/pki/containers/ublue-os.pub b/files/usr/etc/pki/containers/ublue-os.pub
new file mode 100644
index 0000000..f9482c4
--- /dev/null
+++ b/files/usr/etc/pki/containers/ublue-os.pub
@@ -0,0 +1,4 @@
+-----BEGIN PUBLIC KEY-----
+MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE7lh7fJMV4dBT2jT1XafixUJa7OVA
+cT+QFVD8IfIJIS/KBAc8hx1aslzkH3tfeM0cwyCLB7kOStZ4sh6RyFQD9w==
+-----END PUBLIC KEY-----