diff --git a/Containerfile b/Containerfile index afab88b..1655511 100644 --- a/Containerfile +++ b/Containerfile @@ -1,8 +1,7 @@ ARG silverblue_version=41 FROM quay.io/fedora-ostree-desktops/silverblue:${silverblue_version} -COPY cosign.pub /etc/pki/cosign/cosign.pub -COPY overlay-root/etc/ /etc/ +COPY overlay-root/ / RUN mkdir -p /var/opt \ && mkdir -p /usr/lib/opt/google \ diff --git a/README.md b/README.md index 1fa7b24..f8fd4f6 100644 --- a/README.md +++ b/README.md @@ -4,44 +4,18 @@ Following Jorge Castro's lead and making my own spin on Silverblue ## Rebasing onto this image -From a normal Silverblue install, or the previous `:40` version, you can rebase onto this image. +From another Silverblue based image, first, rebase onto the unsigned image. -The image is signed. -Bootstrap the process by downloading the cosign public key for verification. - -``` -mkdir -p /etc/pki/cosign -wget -O /etc/pki/cosign/cosign.pub https://raw.githubusercontent.com/samhclark/custom-silverblue/refs/heads/main/cosign.pub -printf '55e391488bbbfe28209e09963edf38a612e306572b2dd72bbcc97402690ff000 /etc/pki/cosign/cosign.pub' | sha256sum --check - -chmod 555 /etc/pki/cosign -chmod 444 /etc/pki/cosign/cosign.pub -sudo chattr +i /etc/pki/cosign/cosign.pub ``` - -Edit your existing `/etc/containers/policy.json` to include a section like this: - -```json -{ - "transports": { - "docker": { - "ghcr.io/samhclark/custom-silverblue:40": [{"type": "insecureAcceptAnything"}], - "ghcr.io/samhclark/custom-silverblue": [ - { - "type": "sigstoreSigned", - "keyPath": "/etc/pki/cosign/cosign.pub", - "signedIdentity": "exactRepository", - "dockerRepository": "ghcr.io/samhclark/custom-silverblue" - } - ] - } - } -} +rpm-ostree rebase ostree-unverified-registry:ghcr.io/samhclark/custom-silverblue:41 ``` -Then, it's time to rebase +Then, after that, rebase onto the signed image. +This bootstrapping process helps get the public keys onto your machine +and makes sure everything is configured right. ``` -rpm-ostree rebase ostree-image-signed:registry:ghcr.io/samhclark/custom-silverblue:41 +rpm-ostree rebase ostree-image-signed:docker://ghcr.io/samhclark/custom-silverblue:41 ``` ## Google Linux Signing Keys diff --git a/overlay-root/usr/etc/containers/policy.json b/overlay-root/usr/etc/containers/policy.json new file mode 100644 index 0000000..2b939bd --- /dev/null +++ b/overlay-root/usr/etc/containers/policy.json @@ -0,0 +1,86 @@ +{ + "default": [ + { + "type": "reject" + } + ], + "transports": { + "docker": { + "ghcr.io/samhclark/custom-silverblue:40": [ + { + "type": "insecureAcceptAnything" + } + ], + "ghcr.io/samhclark": [ + { + "type": "sigstoreSigned", + "keyPath": "/etc/pki/cosign/cosign.pub", + "signedIdentity": { + "type": "matchRepository" + } + } + ], + "": [ + { + "type": "insecureAcceptAnything" + } + ] + }, + "docker-daemon": { + "": [ + { + "type": "insecureAcceptAnything" + } + ] + }, + "atomic": { + "": [ + { + "type": "insecureAcceptAnything" + } + ] + }, + "containers-storage": { + "": [ + { + "type": "insecureAcceptAnything" + } + ] + }, + "dir": { + "": [ + { + "type": "insecureAcceptAnything" + } + ] + }, + "oci": { + "": [ + { + "type": "insecureAcceptAnything" + } + ] + }, + "oci-archive": { + "": [ + { + "type": "insecureAcceptAnything" + } + ] + }, + "docker-archive": { + "": [ + { + "type": "insecureAcceptAnything" + } + ] + }, + "tarball": { + "": [ + { + "type": "insecureAcceptAnything" + } + ] + } + } +} \ No newline at end of file diff --git a/overlay-root/usr/etc/containers/registries.d/50-docker.yaml b/overlay-root/usr/etc/containers/registries.d/50-docker.yaml new file mode 100644 index 0000000..165a70b --- /dev/null +++ b/overlay-root/usr/etc/containers/registries.d/50-docker.yaml @@ -0,0 +1,3 @@ +docker: + ghcr.io/samhclark: + use-sigstore-attachments: true \ No newline at end of file diff --git a/cosign.pub b/overlay-root/usr/etc/pki/cosign/cosign.pub similarity index 100% rename from cosign.pub rename to overlay-root/usr/etc/pki/cosign/cosign.pub