From 2ba2a5481a9b1b48fb4feaebd3e2e60108c08efc Mon Sep 17 00:00:00 2001 From: "Alpin H. Gencer" Date: Mon, 16 Jan 2023 11:07:21 +0100 Subject: [PATCH] Retry signing images with Cosign --- .editorconfig | 4 + .github/workflows/publish.yml | 19 +++++ src/Kinoite.containerfile | 3 + src/Silverblue.containerfile | 3 + src/etc/containers/policy.json | 83 ++++++++++++++++++++ src/etc/containers/registries.d/ocitree.yaml | 5 ++ src/etc/pki/containers/ocitree.pub | 4 + 7 files changed, 121 insertions(+) create mode 100644 src/etc/containers/policy.json create mode 100644 src/etc/containers/registries.d/ocitree.yaml create mode 100644 src/etc/pki/containers/ocitree.pub diff --git a/.editorconfig b/.editorconfig index d45aad0..3289866 100644 --- a/.editorconfig +++ b/.editorconfig @@ -10,6 +10,10 @@ trim_trailing_whitespace = true indent_style = space indent_size = 2 +[*.json] +indent_style = space +indent_size = 4 + [*.md] indent_style = space indent_size = 4 diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml index 16aeb40..3d833bd 100644 --- a/.github/workflows/publish.yml +++ b/.github/workflows/publish.yml @@ -96,3 +96,22 @@ jobs: username: ${{ github.actor }} password: ${{ github.token }} if: github.ref == 'refs/heads/main' || matrix.version == '37' # We only want the latest version for testing + + - name: Install Cosign + uses: sigstore/cosign-installer@v2 + + - name: Login to container registry + uses: docker/login-action@v2 + with: + registry: ghcr.io + username: ${{ github.actor }} + password: ${{ secrets.GITHUB_TOKEN }} + + - name: Sign image + run: | + echo "${{ env.COSIGN_PRIVATE_KEY }}" > cosign.key + cosign sign --key cosign.key ghcr.io/${{ github.repository_owner }}/${{ steps.build.outputs.image }}@${{ steps.push.outputs.digest }} + env: + COSIGN_PRIVATE_KEY: ${{ secrets.COSIGN_PRIVATE_KEY }} + COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }} + if: github.ref == 'refs/heads/main' || matrix.version == '37' diff --git a/src/Kinoite.containerfile b/src/Kinoite.containerfile index 56e853a..32967ad 100644 --- a/src/Kinoite.containerfile +++ b/src/Kinoite.containerfile @@ -15,6 +15,9 @@ ARG FEDORA_VERSION=37 # See https://pagure.io/releng/pull-request/11180 for final location of base image FROM ghcr.io/cgwalters/fedora-kinoite:$FEDORA_VERSION +# Copy configuration files +COPY ./etc /etc + # Finish and commit image RUN rpm-ostree cleanup -m && \ ostree container commit diff --git a/src/Silverblue.containerfile b/src/Silverblue.containerfile index 73c3ff6..2c2d6d7 100644 --- a/src/Silverblue.containerfile +++ b/src/Silverblue.containerfile @@ -15,6 +15,9 @@ ARG FEDORA_VERSION=37 # See https://pagure.io/releng/pull-request/11180 for final location of base image FROM ghcr.io/cgwalters/fedora-silverblue:$FEDORA_VERSION +# Copy configuration files +COPY ./etc /etc + # Finish and commit image RUN rpm-ostree cleanup -m && \ ostree container commit diff --git a/src/etc/containers/policy.json b/src/etc/containers/policy.json new file mode 100644 index 0000000..1237132 --- /dev/null +++ b/src/etc/containers/policy.json @@ -0,0 +1,83 @@ +{ + "default": [ + { + "type": "reject" + } + ], + "transports": { + "docker": { + "registry.access.redhat.com": [ + { + "type": "signedBy", + "keyType": "GPGKeys", + "keyPath": "/etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release" + } + ], + "registry.redhat.io": [ + { + "type": "signedBy", + "keyType": "GPGKeys", + "keyPath": "/etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release" + } + ], + "ghcr.io/ahgencer/silverblue": [ + { + "type": "sigstoreSigned", + "keyPath": "/etc/pki/containers/ocitree.pub", + "signedIdentity": { + "type": "matchRepository" + } + } + ], + "ghcr.io/ahgencer/kinoite": [ + { + "type": "sigstoreSigned", + "keyPath": "/etc/pki/containers/ocitree.pub", + "signedIdentity": { + "type": "matchRepository" + } + } + ], + "": [ + { + "type": "insecureAcceptAnything" + } + ] + }, + "docker-daemon": { + "": [ + { + "type": "insecureAcceptAnything" + } + ] + }, + "atomic": { + "": [ + { + "type": "insecureAcceptAnything" + } + ] + }, + "dir": { + "": [ + { + "type": "insecureAcceptAnything" + } + ] + }, + "oci": { + "": [ + { + "type": "insecureAcceptAnything" + } + ] + }, + "tarball": { + "": [ + { + "type": "insecureAcceptAnything" + } + ] + } + } +} diff --git a/src/etc/containers/registries.d/ocitree.yaml b/src/etc/containers/registries.d/ocitree.yaml new file mode 100644 index 0000000..1272a7c --- /dev/null +++ b/src/etc/containers/registries.d/ocitree.yaml @@ -0,0 +1,5 @@ +docker: + ghcr.io/ahgencer/silverblue: + use-sigstore-attachments: true + ghcr.io/ahgencer/kinoite: + use-sigstore-attachments: true diff --git a/src/etc/pki/containers/ocitree.pub b/src/etc/pki/containers/ocitree.pub new file mode 100644 index 0000000..7d559fe --- /dev/null +++ b/src/etc/pki/containers/ocitree.pub @@ -0,0 +1,4 @@ +-----BEGIN PUBLIC KEY----- +MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEnJEh0T2c+4saH2BDmWhq/XuWhqeG +akLGeWgCtA609gRKYSyblP0nmtO/LqSZt3BsTmYAfxHnwTenJXeFdC8a+w== +-----END PUBLIC KEY-----