From d2dde6de3809c78ad50bcbd4cdafd1bd97edca53 Mon Sep 17 00:00:00 2001 From: RoyalOughtness <129108030+RoyalOughtness@users.noreply.github.com> Date: Thu, 9 Jan 2025 15:05:54 -0800 Subject: [PATCH 1/8] chore: bump bluebuild to 0.9.2 (#779) --- .github/workflows/build.yml | 2 +- .github/workflows/pull_request.yml | 2 +- modules/secureblue-signing/secureblue-signing.sh | 14 ++++++-------- 3 files changed, 8 insertions(+), 10 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 52708457..41a93bed 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -101,7 +101,7 @@ jobs: - name: Build secureblue uses: blue-build/github-action@4d8b4df657ec923574611eec6fd7e959416c47f0 # v1.8.1 with: - cli_version: v0.9.0 + cli_version: v0.9.2 recipe: ${{ matrix.recipe }} cosign_private_key: ${{ secrets.SIGNING_SECRET }} registry_token: ${{ github.token }} diff --git a/.github/workflows/pull_request.yml b/.github/workflows/pull_request.yml index 06a65563..16bfe3f0 100644 --- a/.github/workflows/pull_request.yml +++ b/.github/workflows/pull_request.yml @@ -45,7 +45,7 @@ jobs: run: | docker create \ --name blue-build-installer \ - ghcr.io/blue-build/cli:v0.9.0-installer + ghcr.io/blue-build/cli:v0.9.2-installer docker cp blue-build-installer:/out/bluebuild /usr/local/bin/bluebuild docker rm blue-build-installer bluebuild --version diff --git a/modules/secureblue-signing/secureblue-signing.sh b/modules/secureblue-signing/secureblue-signing.sh index 078a5fe7..fb715b6c 100644 --- a/modules/secureblue-signing/secureblue-signing.sh +++ b/modules/secureblue-signing/secureblue-signing.sh @@ -3,7 +3,7 @@ # Tell build process to exit if there are any errors. set -euo pipefail -CONTAINER_DIR="/usr/etc/containers" +CONTAINER_DIR="/etc/containers" MODULE_DIRECTORY="${MODULE_DIRECTORY:-"/tmp/modules"}" IMAGE_NAME_FILE="${IMAGE_NAME//\//_}" IMAGE_REGISTRY_TITLE=$(echo "$IMAGE_REGISTRY" | cut -d'/' -f2-) @@ -19,18 +19,16 @@ if ! [ -d $CONTAINER_DIR/registries.d ]; then mkdir -p "$CONTAINER_DIR/registries.d" fi -if ! [ -d "/usr/etc/pki/containers" ]; then - mkdir -p "/usr/etc/pki/containers" +if ! [ -d "/etc/pki/containers" ]; then + mkdir -p "/etc/pki/containers" fi if ! [ -f "$CONTAINER_DIR/policy.json" ]; then cp "$MODULE_DIRECTORY/signing/policy.json" "$CONTAINER_DIR/policy.json" fi -# covering our bases here since /usr/etc is technically unsupported, reevaluate once bootc is the primary deployment tool -cp "/usr/etc/pki/containers/$IMAGE_NAME.pub" "/usr/etc/pki/containers/$IMAGE_REGISTRY_TITLE.pub" -cp "/usr/etc/pki/containers/$IMAGE_NAME.pub" "/etc/pki/containers/$IMAGE_REGISTRY_TITLE.pub" -rm "/usr/etc/pki/containers/$IMAGE_NAME.pub" +cp "/etc/pki/containers/$IMAGE_NAME.pub" "/etc/pki/containers/$IMAGE_REGISTRY_TITLE.pub" +rm "/etc/pki/containers/$IMAGE_NAME.pub" POLICY_FILE="$CONTAINER_DIR/policy.json" @@ -52,5 +50,5 @@ cp POLICY.tmp /usr/etc/containers/policy.json cp POLICY.tmp /etc/containers/policy.json rm POLICY.tmp -mv "$MODULE_DIRECTORY/signing/registry-config.yaml" "$CONTAINER_DIR/registries.d/$IMAGE_REGISTRY_TITLE.yaml" +mv "$MODULE_DIRECTORY/secureblue-signing/registry-config.yml" "$CONTAINER_DIR/registries.d/$IMAGE_REGISTRY_TITLE.yaml" sed -i "s ghcr.io/IMAGENAME $IMAGE_REGISTRY g" "$CONTAINER_DIR/registries.d/$IMAGE_REGISTRY_TITLE.yaml" From fe7d3b8ca323b869313dc5f180db9a0dca852c6b Mon Sep 17 00:00:00 2001 From: RoyalOughtness <129108030+RoyalOughtness@users.noreply.github.com> Date: Fri, 10 Jan 2025 13:27:41 -0800 Subject: [PATCH 2/8] Revert "chore: bump bluebuild to 0.9.2 (#779)" This reverts commit d2dde6de3809c78ad50bcbd4cdafd1bd97edca53. --- .github/workflows/build.yml | 2 +- .github/workflows/pull_request.yml | 2 +- modules/secureblue-signing/secureblue-signing.sh | 14 ++++++++------ 3 files changed, 10 insertions(+), 8 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 41a93bed..52708457 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -101,7 +101,7 @@ jobs: - name: Build secureblue uses: blue-build/github-action@4d8b4df657ec923574611eec6fd7e959416c47f0 # v1.8.1 with: - cli_version: v0.9.2 + cli_version: v0.9.0 recipe: ${{ matrix.recipe }} cosign_private_key: ${{ secrets.SIGNING_SECRET }} registry_token: ${{ github.token }} diff --git a/.github/workflows/pull_request.yml b/.github/workflows/pull_request.yml index 16bfe3f0..06a65563 100644 --- a/.github/workflows/pull_request.yml +++ b/.github/workflows/pull_request.yml @@ -45,7 +45,7 @@ jobs: run: | docker create \ --name blue-build-installer \ - ghcr.io/blue-build/cli:v0.9.2-installer + ghcr.io/blue-build/cli:v0.9.0-installer docker cp blue-build-installer:/out/bluebuild /usr/local/bin/bluebuild docker rm blue-build-installer bluebuild --version diff --git a/modules/secureblue-signing/secureblue-signing.sh b/modules/secureblue-signing/secureblue-signing.sh index fb715b6c..078a5fe7 100644 --- a/modules/secureblue-signing/secureblue-signing.sh +++ b/modules/secureblue-signing/secureblue-signing.sh @@ -3,7 +3,7 @@ # Tell build process to exit if there are any errors. set -euo pipefail -CONTAINER_DIR="/etc/containers" +CONTAINER_DIR="/usr/etc/containers" MODULE_DIRECTORY="${MODULE_DIRECTORY:-"/tmp/modules"}" IMAGE_NAME_FILE="${IMAGE_NAME//\//_}" IMAGE_REGISTRY_TITLE=$(echo "$IMAGE_REGISTRY" | cut -d'/' -f2-) @@ -19,16 +19,18 @@ if ! [ -d $CONTAINER_DIR/registries.d ]; then mkdir -p "$CONTAINER_DIR/registries.d" fi -if ! [ -d "/etc/pki/containers" ]; then - mkdir -p "/etc/pki/containers" +if ! [ -d "/usr/etc/pki/containers" ]; then + mkdir -p "/usr/etc/pki/containers" fi if ! [ -f "$CONTAINER_DIR/policy.json" ]; then cp "$MODULE_DIRECTORY/signing/policy.json" "$CONTAINER_DIR/policy.json" fi -cp "/etc/pki/containers/$IMAGE_NAME.pub" "/etc/pki/containers/$IMAGE_REGISTRY_TITLE.pub" -rm "/etc/pki/containers/$IMAGE_NAME.pub" +# covering our bases here since /usr/etc is technically unsupported, reevaluate once bootc is the primary deployment tool +cp "/usr/etc/pki/containers/$IMAGE_NAME.pub" "/usr/etc/pki/containers/$IMAGE_REGISTRY_TITLE.pub" +cp "/usr/etc/pki/containers/$IMAGE_NAME.pub" "/etc/pki/containers/$IMAGE_REGISTRY_TITLE.pub" +rm "/usr/etc/pki/containers/$IMAGE_NAME.pub" POLICY_FILE="$CONTAINER_DIR/policy.json" @@ -50,5 +52,5 @@ cp POLICY.tmp /usr/etc/containers/policy.json cp POLICY.tmp /etc/containers/policy.json rm POLICY.tmp -mv "$MODULE_DIRECTORY/secureblue-signing/registry-config.yml" "$CONTAINER_DIR/registries.d/$IMAGE_REGISTRY_TITLE.yaml" +mv "$MODULE_DIRECTORY/signing/registry-config.yaml" "$CONTAINER_DIR/registries.d/$IMAGE_REGISTRY_TITLE.yaml" sed -i "s ghcr.io/IMAGENAME $IMAGE_REGISTRY g" "$CONTAINER_DIR/registries.d/$IMAGE_REGISTRY_TITLE.yaml" From ef06f2428eeebeb265ace796eabefefbf5d511b7 Mon Sep 17 00:00:00 2001 From: Reflux0301 <130855216+Reflux0301@users.noreply.github.com> Date: Fri, 10 Jan 2025 19:41:16 -0600 Subject: [PATCH 3/8] docs: add a comment about SPICE guest features (#783) --- docs/FAQ.md | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/docs/FAQ.md b/docs/FAQ.md index 5a35aaad..8806f239 100644 --- a/docs/FAQ.md +++ b/docs/FAQ.md @@ -150,3 +150,9 @@ Extensions in `hardened-chromium` are disabled by default, for security reasons \ \ If the extension you installed doesn't work, it is likely because it requires WebAssembly (WASM) for some cryptographic library or some other optimizations (this is the case with the Bitwarden extension). To re-enable JavaScript JIT and WASM for extensions, enable the feature `chrome://flags/#internal-page-jit`. + +#### Why doesn't SPICE features like automatic window resizing and shared clipboard work? + +The SPICE protocol uses an agent called `spice-vdagentd` which handles these various features. However, the implementation of this requires an X server. This is why it works on standard Silverblue and not secureblue. + +To enable this, run `ujust toggle-xwayland` and reboot. This will allow `spice-vdagentd` to use an X server and will enable these features. From 4b96a3fcd067e13f586e9aa15875febef04b9f16 Mon Sep 17 00:00:00 2001 From: topaz8 Date: Fri, 10 Jan 2025 20:43:32 -0500 Subject: [PATCH 4/8] feat: add securecore documentation (#727) --- docs/README.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/docs/README.md b/docs/README.md index cdb997f8..a615b503 100644 --- a/docs/README.md +++ b/docs/README.md @@ -81,6 +81,8 @@ Have a look at [PREINSTALL-README](PREINSTALL-README.md) before proceeding. > If you don't already have a Fedora Atomic installation, use a Fedora Atomic ISO that matches your secureblue target image to install one. If you want to use a secureblue Silverblue image, start with the Fedora Silverblue ISO, Kinoite for Kinoite, Sericea (Sway Atomic) for Sericea and all the Wayblue images, and CoreOS for all the securecore images. > > For more details on the available images, have a look at [IMAGES](IMAGES.md) before proceeding. +> +> For instructions on installing Fedora CoreOS, please see the documentation [here](https://docs.fedoraproject.org/en-US/fedora-coreos/). There is a sample butane configuration file [here](example.butane). To rebase a [Fedora Atomic](https://fedoraproject.org/atomic-desktops/) or [Fedora CoreOS](https://fedoraproject.org/coreos/) installation, download the script below. This script does not install secureblue into the existing system. It rebases (fully replaces the existing system) with secureblue. From 79225f1f11ac761c4a354bd13c9f932b22d34002 Mon Sep 17 00:00:00 2001 From: topaz8 Date: Fri, 10 Jan 2025 21:21:28 -0500 Subject: [PATCH 5/8] feat: butane config (#673) --- docs/example.butane | 43 +++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 43 insertions(+) create mode 100644 docs/example.butane diff --git a/docs/example.butane b/docs/example.butane new file mode 100644 index 00000000..97c85da2 --- /dev/null +++ b/docs/example.butane @@ -0,0 +1,43 @@ +variant: fcos +version: 1.5.0 +passwd: + users: + - name: core + groups: + - wheel + password_hash: $y$j9T$mefBCJbp/a49aSkTT4hpE1$6BXtrIuV8856t4A9r/R1GW4aR9eKXxsmB8FXt56Hx70 # 'secureblue' + ssh_authorized_keys: + - ssh-ed25519 +storage: + files: + - path: /opt/install_secureblue.sh + contents: + source: https://raw.githubusercontent.com/secureblue/secureblue/refs/heads/live/files/system/usr/share/secureblue/install_secureblue.sh + verification: + hash: sha256-d4ba5bfb556e9d1e3789a02fab2ab2f871033cc6b1712945cdfb9ce4375eafe5 + mode: 0755 + - path: /opt/run_install_secureblue.sh + contents: + inline: | + sudo systemctl disable --now zincati.service 2>/dev/null + sudo systemctl stop rpm-ostreed-automatic.timer rpm-ostreed-automatic.service 2>/dev/null + if [ ! -f /opt/install_secureblue.sh ]; then + echo "Error: install_secureblue.sh was not downloaded." + else + sudo /opt/install_secureblue.sh + if [ $? != 0 ]; then + echo "Error: Secureblue installer failed." + else + sed -i "/\/opt\/run_install_secureblue.sh/d" /var/home/core/.bash_profile + sudo rm -f /opt/*install_secureblue.sh + echo "Automatically rebooting in 5 seconds..." + sleep 5 + sudo systemctl reboot + fi + fi + mode: 0755 + - path: /var/home/core/.bash_profile + overwrite: false + append: + - inline: | + /opt/run_install_secureblue.sh \ No newline at end of file From cda19db81c8ee41a55f6657eaa56ca7b5bb87bcb Mon Sep 17 00:00:00 2001 From: Root <175176948+RKNF404@users.noreply.github.com> Date: Fri, 10 Jan 2025 22:26:46 -0500 Subject: [PATCH 6/8] chore: add more dbus names to flatpak lockdown (#784) --- files/justfiles/hardening.just | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/files/justfiles/hardening.just b/files/justfiles/hardening.just index fc8c3c28..ba6ca534 100644 --- a/files/justfiles/hardening.just +++ b/files/justfiles/hardening.just @@ -24,7 +24,7 @@ flatpak-permissions-lockdown: kFeaturePermissions=("per-app-dev-shm" "canbus" "bluetooth" "multiarch" "devel") kFilesystemPermissions=("home" "host-etc" "host") kDangerousFilesystemPermissions=("~/.bashrc" "~/.bash_profile" "/home" "/var/home" "/var" "/media" "/run/media" "/run" "/mnt") - kKnownSessionBusNames=("org.gnome.Settings" "org.gnome.SettingsDaemon.MediaKeys" "org.gnome.SessionManager" "org.kde.kiod5" "org.kde.JobViewServer" "org.gtk.vfs.*" "org.freedesktop.secrets" "org.kde.kconfig.notify" "org.kde.kpasswdserver" "org.kde.*" "org.kde.StatusNotifierWatcher" "org.kde.kded6" "org.kde.kpasswdserver6" "org.kde.kiod6" "com.canonical.Unity" "org.freedesktop.Notifications" "org.freedesktop.FileManager1" "org.freedesktop.impl.portal.PermissionStore" "org.freedesktop.Flatpak" "com.canonical.AppMenu.Registrar" "org.kde.KGlobalSettings" "org.kde.kded5" "com.canonical.Unity.LauncherEntry" "org.kde.kwalletd5" "org.gnome.SettingsDaemon" "org.a11y.Bus" "com.canonical.indicator.application" "org.freedesktop.ScreenSaver" "ca.desrt.dconf" "org.freedesktop.PowerManagement" "org.gnome.Software" "org.freedesktop.Tracker3.Writeback" "io.missioncenter.MissionCenter.Gatherer") + kKnownSessionBusNames=("org.gnome.Settings" "org.gnome.SettingsDaemon.MediaKeys" "org.gnome.SessionManager" "org.gnome.Shell.Screenshot" "org.kde.kiod5" "org.kde.kwin.Screenshot" "org.kde.JobViewServer" "org.gtk.vfs.*" "org.freedesktop.secrets" "org.kde.kconfig.notify" "org.kde.kpasswdserver" "org.kde.*" "org.kde.StatusNotifierWatcher" "org.kde.kded6" "org.kde.kpasswdserver6" "org.kde.kiod6" "com.canonical.Unity" "org.freedesktop.Notifications" "org.freedesktop.FileManager1" "org.freedesktop.impl.portal.PermissionStore" "org.freedesktop.Flatpak" "com.canonical.AppMenu.Registrar" "org.kde.KGlobalSettings" "org.kde.kded5" "com.canonical.Unity.LauncherEntry" "org.kde.kwalletd5" "org.gnome.SettingsDaemon" "org.a11y.Bus" "com.canonical.indicator.application" "org.freedesktop.ScreenSaver" "ca.desrt.dconf" "org.freedesktop.PowerManagement" "org.gnome.Software" "org.freedesktop.Tracker3.Writeback" "io.missioncenter.MissionCenter.Gatherer") kKnownSystemBusNames=("org.freedesktop.systemd1" "org.freedesktop.Avahi.*" "org.freedesktop.login1" "org.freedesktop.NetworkManager" "org.freedesktop.UPower" "org.freedesktop.UDisks2" "org.freedesktop.fwupd") kFlatsealNameAccess=("org.gnome.Software" "org.freedesktop.impl.portal.PermissionStore") From d8e40e4e814c14975004df508e90370c31782be5 Mon Sep 17 00:00:00 2001 From: RoyalOughtness <129108030+RoyalOughtness@users.noreply.github.com> Date: Fri, 10 Jan 2025 19:49:20 -0800 Subject: [PATCH 7/8] feat: example butane checksum validation (#787) --- .github/workflows/checksum.yml | 26 ++++++++++++++++++++++++++ docs/example.butane | 4 ++-- 2 files changed, 28 insertions(+), 2 deletions(-) create mode 100644 .github/workflows/checksum.yml diff --git a/.github/workflows/checksum.yml b/.github/workflows/checksum.yml new file mode 100644 index 00000000..74182f67 --- /dev/null +++ b/.github/workflows/checksum.yml @@ -0,0 +1,26 @@ +name: installer-checksum +on: + pull_request: + branches: + - live +jobs: + verify-installer-checksum: + name: Linkspector + runs-on: ubuntu-22.04 + steps: + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + + - name: Verify checksum + shell: bash + env: + INSTALL_SCRIPT: files/system/usr/share/secureblue/install_secureblue.sh + EXAMPLE_BUTANE: docs/example.butane + run: | + INSTALLER_CHECKSUM=$(sha256sum $INSTALL_SCRIPT | awk '{ print $1 }') + BUTANE_CHECKSUM=$(grep -oP 'sha256-\K[a-f0-9]{64}' $EXAMPLE_BUTANE) + if [ "$INSTALLER_CHECKSUM" != "$BUTANE_CHECKSUM" ]; then + echo "Checksum mismatch." + echo "Installer checksum: $INSTALLER_CHECKSUM" + echo "Butane checksum: $BUTANE_CHECKSUM" + exit 1 + fi \ No newline at end of file diff --git a/docs/example.butane b/docs/example.butane index 97c85da2..8610d5ce 100644 --- a/docs/example.butane +++ b/docs/example.butane @@ -14,7 +14,7 @@ storage: contents: source: https://raw.githubusercontent.com/secureblue/secureblue/refs/heads/live/files/system/usr/share/secureblue/install_secureblue.sh verification: - hash: sha256-d4ba5bfb556e9d1e3789a02fab2ab2f871033cc6b1712945cdfb9ce4375eafe5 + hash: sha256-1f2f8ac822614eb20c82547aabdd18fbded3906115db8ecd4efcf3a80e19bd7d mode: 0755 - path: /opt/run_install_secureblue.sh contents: @@ -40,4 +40,4 @@ storage: overwrite: false append: - inline: | - /opt/run_install_secureblue.sh \ No newline at end of file + /opt/run_install_secureblue.sh From a9b879ad89143be7722cd8deec56ce618c803711 Mon Sep 17 00:00:00 2001 From: RoyalOughtness <129108030+RoyalOughtness@users.noreply.github.com> Date: Fri, 10 Jan 2025 20:17:51 -0800 Subject: [PATCH 8/8] fix: add back bluebuild 0.9.2 with properly updated signing (#786) --- .github/workflows/build.yml | 2 +- .github/workflows/pull_request.yml | 2 +- files/system/usr/etc/containers/policy.json | 140 ------------------ modules/secureblue-signing/policy.json | 137 +++++++++++++++-- .../secureblue-signing/registry-config.yaml | 3 + .../secureblue-signing/registry-config.yml | 3 - .../secureblue-signing/secureblue-signing.sh | 28 +++- 7 files changed, 152 insertions(+), 163 deletions(-) delete mode 100644 files/system/usr/etc/containers/policy.json create mode 100644 modules/secureblue-signing/registry-config.yaml delete mode 100644 modules/secureblue-signing/registry-config.yml diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 52708457..41a93bed 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -101,7 +101,7 @@ jobs: - name: Build secureblue uses: blue-build/github-action@4d8b4df657ec923574611eec6fd7e959416c47f0 # v1.8.1 with: - cli_version: v0.9.0 + cli_version: v0.9.2 recipe: ${{ matrix.recipe }} cosign_private_key: ${{ secrets.SIGNING_SECRET }} registry_token: ${{ github.token }} diff --git a/.github/workflows/pull_request.yml b/.github/workflows/pull_request.yml index 06a65563..16bfe3f0 100644 --- a/.github/workflows/pull_request.yml +++ b/.github/workflows/pull_request.yml @@ -45,7 +45,7 @@ jobs: run: | docker create \ --name blue-build-installer \ - ghcr.io/blue-build/cli:v0.9.0-installer + ghcr.io/blue-build/cli:v0.9.2-installer docker cp blue-build-installer:/out/bluebuild /usr/local/bin/bluebuild docker rm blue-build-installer bluebuild --version diff --git a/files/system/usr/etc/containers/policy.json b/files/system/usr/etc/containers/policy.json deleted file mode 100644 index ae9ca4c1..00000000 --- a/files/system/usr/etc/containers/policy.json +++ /dev/null @@ -1,140 +0,0 @@ -{ - "default": [ - { - "type": "reject" - } - ], - "transports": { - "docker": { - "gcr.io/projectsigstore": [ - { - "type": "sigstoreSigned", - "keyPath": "/etc/pki/containers/cosign-release.pub", - "signedIdentity": { - "type": "matchRepository" - } - } - ], - "ghcr.io/wayblueorg": [ - { - "type": "sigstoreSigned", - "keyPath": "/usr/etc/pki/containers/wayblueorg.pub", - "signedIdentity": { - "type": "matchRepository" - } - } - ], - "ghcr.io/zelikos": [ - { - "type": "sigstoreSigned", - "keyPath": "/usr/etc/pki/containers/davincibox.pub", - "signedIdentity": { - "type": "matchRepository" - } - } - ], - "ghcr.io/jasonn3": [ - { - "type": "sigstoreSigned", - "keyPath": "/usr/etc/pki/containers/build-container-installer.pub", - "signedIdentity": { - "type": "matchRepository" - } - } - ], - "registry.access.redhat.com": [ - { - "type": "signedBy", - "keyType": "GPGKeys", - "keyPath": "/etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release" - } - ], - "registry.redhat.io": [ - { - "type": "signedBy", - "keyType": "GPGKeys", - "keyPath": "/etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release" - } - ], - "quay.io/toolbx-images": [ - { - "type": "sigstoreSigned", - "keyPath": "/etc/pki/containers/quay.io-toolbx-images.pub", - "signedIdentity": { - "type": "matchRepository" - } - } - ], - "ghcr.io/ublue-os": [ - { - "type": "sigstoreSigned", - "keyPath": "/etc/pki/containers/ublue-os.pub", - "signedIdentity": { - "type": "matchRepository" - } - } - ], - "": [ - { - "type": "reject" - } - ] - }, - "docker-daemon": { - "": [ - { - "type": "reject" - } - ] - }, - "atomic": { - "": [ - { - "type": "reject" - } - ] - }, - "containers-storage": { - "": [ - { - "type": "reject" - } - ] - }, - "dir": { - "": [ - { - "type": "reject" - } - ] - }, - "oci": { - "": [ - { - "type": "reject" - } - ] - }, - "oci-archive": { - "": [ - { - "type": "reject" - } - ] - }, - "docker-archive": { - "": [ - { - "type": "reject" - } - ] - }, - "tarball": { - "": [ - { - "type": "reject" - } - ] - } - } -} diff --git a/modules/secureblue-signing/policy.json b/modules/secureblue-signing/policy.json index 3b3ed887..919756da 100644 --- a/modules/secureblue-signing/policy.json +++ b/modules/secureblue-signing/policy.json @@ -1,25 +1,140 @@ { - "default": [ - { - "type": "reject" - } - ], - "transports": { - "docker": { + "default": [ + { + "type": "reject" + } + ], + "transports": { + "docker": { + "gcr.io/projectsigstore": [ + { + "type": "sigstoreSigned", + "keyPath": "/usr/etc/pki/containers/cosign-release.pub", + "signedIdentity": { + "type": "matchRepository" + } + } + ], + "ghcr.io/wayblueorg": [ + { + "type": "sigstoreSigned", + "keyPath": "/usr/etc/pki/containers/wayblueorg.pub", + "signedIdentity": { + "type": "matchRepository" + } + } + ], + "ghcr.io/zelikos": [ + { + "type": "sigstoreSigned", + "keyPath": "/usr/etc/pki/containers/davincibox.pub", + "signedIdentity": { + "type": "matchRepository" + } + } + ], + "ghcr.io/jasonn3": [ + { + "type": "sigstoreSigned", + "keyPath": "/usr/etc/pki/containers/build-container-installer.pub", + "signedIdentity": { + "type": "matchRepository" + } + } + ], "registry.access.redhat.com": [ { "type": "signedBy", "keyType": "GPGKeys", - "keyPath": "/etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release" + "keyPath": "/usr/etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release" } ], "registry.redhat.io": [ { "type": "signedBy", "keyType": "GPGKeys", - "keyPath": "/etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release" + "keyPath": "/usr/etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release" + } + ], + "quay.io/toolbx-images": [ + { + "type": "sigstoreSigned", + "keyPath": "/usr/etc/pki/containers/quay.io-toolbx-images.pub", + "signedIdentity": { + "type": "matchRepository" + } + } + ], + "ghcr.io/ublue-os": [ + { + "type": "sigstoreSigned", + "keyPath": "/usr/etc/pki/containers/ublue-os.pub", + "signedIdentity": { + "type": "matchRepository" + } + } + ], + "": [ + { + "type": "reject" + } + ] + }, + "docker-daemon": { + "": [ + { + "type": "reject" + } + ] + }, + "atomic": { + "": [ + { + "type": "reject" + } + ] + }, + "containers-storage": { + "": [ + { + "type": "reject" + } + ] + }, + "dir": { + "": [ + { + "type": "reject" + } + ] + }, + "oci": { + "": [ + { + "type": "reject" + } + ] + }, + "oci-archive": { + "": [ + { + "type": "reject" + } + ] + }, + "docker-archive": { + "": [ + { + "type": "reject" + } + ] + }, + "tarball": { + "": [ + { + "type": "reject" } ] } - } -} \ No newline at end of file + } +} diff --git a/modules/secureblue-signing/registry-config.yaml b/modules/secureblue-signing/registry-config.yaml new file mode 100644 index 00000000..179d45e5 --- /dev/null +++ b/modules/secureblue-signing/registry-config.yaml @@ -0,0 +1,3 @@ +docker: + ghcr.io/IMAGENAME: + use-sigstore-attachments: true diff --git a/modules/secureblue-signing/registry-config.yml b/modules/secureblue-signing/registry-config.yml deleted file mode 100644 index a6f49275..00000000 --- a/modules/secureblue-signing/registry-config.yml +++ /dev/null @@ -1,3 +0,0 @@ -docker: - ghcr.io/IMAGENAME: - use-sigstore-attachments: true \ No newline at end of file diff --git a/modules/secureblue-signing/secureblue-signing.sh b/modules/secureblue-signing/secureblue-signing.sh index 078a5fe7..372f9a9c 100644 --- a/modules/secureblue-signing/secureblue-signing.sh +++ b/modules/secureblue-signing/secureblue-signing.sh @@ -4,6 +4,7 @@ set -euo pipefail CONTAINER_DIR="/usr/etc/containers" +ETC_CONTAINER_DIR="/etc/containers" MODULE_DIRECTORY="${MODULE_DIRECTORY:-"/tmp/modules"}" IMAGE_NAME_FILE="${IMAGE_NAME//\//_}" IMAGE_REGISTRY_TITLE=$(echo "$IMAGE_REGISTRY" | cut -d'/' -f2-) @@ -15,22 +16,33 @@ if ! [ -d "$CONTAINER_DIR" ]; then mkdir -p "$CONTAINER_DIR" fi +if ! [ -d "$ETC_CONTAINER_DIR" ]; then + mkdir -p "$ETC_CONTAINER_DIR" +fi + if ! [ -d $CONTAINER_DIR/registries.d ]; then mkdir -p "$CONTAINER_DIR/registries.d" fi +if ! [ -d $ETC_CONTAINER_DIR/registries.d ]; then + mkdir -p "$ETC_CONTAINER_DIR/registries.d" +fi + if ! [ -d "/usr/etc/pki/containers" ]; then mkdir -p "/usr/etc/pki/containers" fi -if ! [ -f "$CONTAINER_DIR/policy.json" ]; then - cp "$MODULE_DIRECTORY/signing/policy.json" "$CONTAINER_DIR/policy.json" +if ! [ -d "/etc/pki/containers" ]; then + mkdir -p "/etc/pki/containers" fi +cp "$MODULE_DIRECTORY/secureblue-signing/policy.json" $CONTAINER_DIR/policy.json +cp "$MODULE_DIRECTORY/secureblue-signing/policy.json" $ETC_CONTAINER_DIR/policy.json + # covering our bases here since /usr/etc is technically unsupported, reevaluate once bootc is the primary deployment tool -cp "/usr/etc/pki/containers/$IMAGE_NAME.pub" "/usr/etc/pki/containers/$IMAGE_REGISTRY_TITLE.pub" -cp "/usr/etc/pki/containers/$IMAGE_NAME.pub" "/etc/pki/containers/$IMAGE_REGISTRY_TITLE.pub" -rm "/usr/etc/pki/containers/$IMAGE_NAME.pub" +cp "/etc/pki/containers/$IMAGE_NAME.pub" "/usr/etc/pki/containers/$IMAGE_REGISTRY_TITLE.pub" +cp "/etc/pki/containers/$IMAGE_NAME.pub" "/etc/pki/containers/$IMAGE_REGISTRY_TITLE.pub" +rm "/etc/pki/containers/$IMAGE_NAME.pub" POLICY_FILE="$CONTAINER_DIR/policy.json" @@ -52,5 +64,7 @@ cp POLICY.tmp /usr/etc/containers/policy.json cp POLICY.tmp /etc/containers/policy.json rm POLICY.tmp -mv "$MODULE_DIRECTORY/signing/registry-config.yaml" "$CONTAINER_DIR/registries.d/$IMAGE_REGISTRY_TITLE.yaml" -sed -i "s ghcr.io/IMAGENAME $IMAGE_REGISTRY g" "$CONTAINER_DIR/registries.d/$IMAGE_REGISTRY_TITLE.yaml" +sed -i "s ghcr.io/IMAGENAME $IMAGE_REGISTRY g" "$MODULE_DIRECTORY/secureblue-signing/registry-config.yaml" +cp "$MODULE_DIRECTORY/secureblue-signing/registry-config.yaml" "$CONTAINER_DIR/registries.d/$IMAGE_REGISTRY_TITLE.yaml" +cp "$MODULE_DIRECTORY/secureblue-signing/registry-config.yaml" "$ETC_CONTAINER_DIR/registries.d/$IMAGE_REGISTRY_TITLE.yaml" +rm "$MODULE_DIRECTORY/secureblue-signing/registry-config.yaml"