From 200fb1b2a738275c7b46b05b6ad6262bf3dfc1a9 Mon Sep 17 00:00:00 2001 From: qoijjj <129108030+qoijjj@users.noreply.github.com> Date: Thu, 16 May 2024 10:01:53 -0700 Subject: [PATCH 1/3] fix: use cosign.pub for entire registry --- modules/signing/signing.sh | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/modules/signing/signing.sh b/modules/signing/signing.sh index 42081bc..65dff21 100644 --- a/modules/signing/signing.sh +++ b/modules/signing/signing.sh @@ -27,16 +27,16 @@ if ! [ -f "$CONTAINER_DIR/policy.json" ]; then fi if ! [ -f "/usr/etc/pki/containers/$IMAGE_NAME_FILE.pub" ]; then - cp "/usr/share/ublue-os/cosign.pub" "/usr/etc/pki/containers/$IMAGE_NAME_FILE.pub" + cp "/usr/share/ublue-os/cosign.pub" "/usr/etc/pki/containers/$IMAGE_REGISTRY.pub" fi POLICY_FILE="$CONTAINER_DIR/policy.json" yq -i -o=j '.transports.docker |= - {"'"$IMAGE_REGISTRY"'/'"$IMAGE_NAME"'": [ + {"'"$IMAGE_REGISTRY"'": [ { "type": "sigstoreSigned", - "keyPath": "/usr/etc/pki/containers/'"$IMAGE_NAME_FILE"'.pub", + "keyPath": "/usr/etc/pki/containers/'"$IMAGE_REGISTRY"'.pub", "signedIdentity": { "type": "matchRepository" } From 0a7918abac968429e30ae51250e37f2e505d35ed Mon Sep 17 00:00:00 2001 From: qoijjj <129108030+qoijjj@users.noreply.github.com> Date: Thu, 16 May 2024 10:17:48 -0700 Subject: [PATCH 2/3] Update signing.sh --- modules/signing/signing.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/signing/signing.sh b/modules/signing/signing.sh index 65dff21..5efc624 100644 --- a/modules/signing/signing.sh +++ b/modules/signing/signing.sh @@ -26,7 +26,7 @@ if ! [ -f "$CONTAINER_DIR/policy.json" ]; then cp "$MODULE_DIRECTORY/signing/policy.json" "$CONTAINER_DIR/policy.json" fi -if ! [ -f "/usr/etc/pki/containers/$IMAGE_NAME_FILE.pub" ]; then +if ! [ -f "/usr/etc/pki/containers/$IMAGE_REGISTRY.pub" ]; then cp "/usr/share/ublue-os/cosign.pub" "/usr/etc/pki/containers/$IMAGE_REGISTRY.pub" fi From e52f0a5e50dd30e769c03e4a78006bf69f5083c5 Mon Sep 17 00:00:00 2001 From: qoijjj <129108030+qoijjj@users.noreply.github.com> Date: Thu, 16 May 2024 10:37:09 -0700 Subject: [PATCH 3/3] use IMAGE_REGISTRY_TITLE --- modules/signing/signing.sh | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/modules/signing/signing.sh b/modules/signing/signing.sh index 5efc624..ac50427 100644 --- a/modules/signing/signing.sh +++ b/modules/signing/signing.sh @@ -6,6 +6,7 @@ set -euo pipefail CONTAINER_DIR="/usr/etc/containers" MODULE_DIRECTORY="${MODULE_DIRECTORY:-"/tmp/modules"}" IMAGE_NAME_FILE="${IMAGE_NAME//\//_}" +IMAGE_REGISTRY_TITLE=$(echo "$IMAGE_REGISTRY" | cut -d'/' -f2-) echo "Setting up container signing in policy.json and cosign.yaml for $IMAGE_NAME" echo "Registry to write: $IMAGE_REGISTRY" @@ -26,8 +27,8 @@ if ! [ -f "$CONTAINER_DIR/policy.json" ]; then cp "$MODULE_DIRECTORY/signing/policy.json" "$CONTAINER_DIR/policy.json" fi -if ! [ -f "/usr/etc/pki/containers/$IMAGE_REGISTRY.pub" ]; then - cp "/usr/share/ublue-os/cosign.pub" "/usr/etc/pki/containers/$IMAGE_REGISTRY.pub" +if ! [ -f "/usr/etc/pki/containers/$IMAGE_REGISTRY_TITLE.pub" ]; then + cp "/usr/share/ublue-os/cosign.pub" "/usr/etc/pki/containers/$IMAGE_REGISTRY_TITLE.pub" fi POLICY_FILE="$CONTAINER_DIR/policy.json" @@ -36,7 +37,7 @@ yq -i -o=j '.transports.docker |= {"'"$IMAGE_REGISTRY"'": [ { "type": "sigstoreSigned", - "keyPath": "/usr/etc/pki/containers/'"$IMAGE_REGISTRY"'.pub", + "keyPath": "/usr/etc/pki/containers/'"$IMAGE_REGISTRY_TITLE"'.pub", "signedIdentity": { "type": "matchRepository" }