Merge branch 'live' into usernsnotefix

RoyalOughtness · Nov 30, 2024 · 92747e1 · 92747e1
2 parents 12e7c2f + ed740c3
commit 92747e1
Show file tree

Hide file tree

Showing 4 changed files with 57 additions and 0 deletions.
diff --git a/docs/CONTRIBUTING.md b/docs/CONTRIBUTING.md
@@ -102,6 +102,47 @@ This usually involved editing the `Containerfile`. Most techniques for building
 
 Check out CoreOS's [layering examples](https://github.com/coreos/layering-examples) for more information on customizing.
 
+## Using Blue-build locally
+### Requirements
+
+- [Blue-build CLI](https://github.com/blue-build/cli)
+- Podman
+- git
+
+Secureblue already includes `bluebuild` but running locally requires customizing policy.json for your user to allow pulling a few unsigned images.
+
+#### Policy.json configuration
+
+On secureblue only pre-configured signed images are allowed to be pulled. Following repos need to be configured:
+
+- docker.io/mikefarah/yq `Unsigned`
+- ghcr.io/blue-build/cli `Unsigned`
+- ghcr.io/blue-build/modules `Unsigned`
+- quay.io/fedora-ostree-desktops `Unsigned`
+
+Copy `/etc/containers/policy.json` to `~/.config/containers/policy.json` and then add rules using podman CLI:
+
+- `podman image trust set --type accept docker.io/mikefarah/yq`
+- `podman image trust set --type accept ghcr.io/blue-build`
+- `podman image trust set --type accept quay.io/fedora-ostree-desktops`
+
+### Clone the repo
+
+    git clone https://github.com/secureblue/secureblue.git
+
+### Making changes
+
+Configuration is stored in `recipes` folder in form of YAML files. Other files to be added to the image are stored in `files`. `common` holds pluggable modules to add to your custom image. `general` and `securecore` hold configs for the desktop and server images, respectively. Documentation for modules can be found [here](https://blue-build.org/learn/getting-started/).
+
+### Building
+
+- Open terminal in root of your cloned repo.
+- Run `bluebuild build recipes/<your custom recipe>.yml`
+
+### Testing
+
+Run the image using `podman run` to get a root shell in your newly built image and verify the changes made prior.
+
 ## Styleguides
 ### Commit Messages
 

diff --git a/files/system/etc/containers/registries.d/cosign-release.yaml b/files/system/etc/containers/registries.d/cosign-release.yaml
@@ -0,0 +1,3 @@
+docker:
+  gcr.io/projectsigstore:
+    use-sigstore-attachments: true
diff --git a/files/system/etc/pki/containers/cosign-release.pub b/files/system/etc/pki/containers/cosign-release.pub
@@ -0,0 +1,4 @@
+-----BEGIN PUBLIC KEY-----
+MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEhyQCx0E9wQWSFI9ULGwy3BuRklnt
+IqozONbbdbqz11hlRJy9c7SG+hdcFl9jE9uE/dwtuwU2MqU9T/cN0YkWww==
+-----END PUBLIC KEY-----
diff --git a/files/system/usr/etc/containers/policy.json b/files/system/usr/etc/containers/policy.json
@@ -6,6 +6,15 @@
   ],
   "transports": {
       "docker": {
+        "gcr.io/projectsigstore": [
+            {
+                "type": "sigstoreSigned",
+                "keyPath": "/etc/pki/containers/cosign-release.pub",
+                "signedIdentity": {
+                    "type": "matchRepository"
+                }
+            }
+        ],
         "ghcr.io/wayblueorg": [
           {
             "type": "sigstoreSigned",