add signing key to image

awesomekyle · Apr 18, 2024 · 36cb1f5 · 36cb1f5
1 parent 69e4dc6
commit 36cb1f5
Show file tree

Hide file tree

Showing 4 changed files with 25 additions and 2 deletions.
diff --git a/Containerfile b/Containerfile
@@ -30,6 +30,12 @@ COPY --from=ghcr.io/ublue-os/bluefin-cli /usr/share/bash-prexec /usr/share/bash-
 # COPY ublue kmods, add needed negativo17 repo and then immediately disable due to incompatibility with RPMFusion
 COPY --from=ghcr.io/ublue-os/akmods:${AKMODS_FLAVOR}-${FEDORA_MAJOR_VERSION} /rpms /tmp/akmods-rpms
 
+#
+# AK: custom modifications required for downstream build
+#
+COPY ./cosign.pub /usr/etc/pki/containers/awesomekyle.pub
+COPY --from ghcr.io/ublue-os/config /usr/etc/containers/policy.json /usr/etc/containers/policy.json
+
 # Build, cleanup, commit.
 RUN rpm-ostree cliwrap install-to-root / && \
     bash -c ". /tmp/build/build-base.sh"  && \

diff --git a/build_files/custom/setup.sh b/build_files/custom/setup.sh
@@ -0,0 +1,14 @@
+#!/usr/bin/env bash
+
+# Add awesomekyle key to registries
+jq '.transports.docker += {
+    "ghcr.io/awesomekyle": [
+        {
+            "type": "sigstoreSigned",
+            "keyPath": "/usr/etc/pki/containers/awesomekyle.pub",
+            "signedIdentity": {
+                "type": "matchRepository"
+            }
+        }
+    ]
+    }' /usr/etc/containers/policy.json
diff --git a/cosign.pub b/cosign.pub
@@ -1,4 +1,4 @@
 -----BEGIN PUBLIC KEY-----
-MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE7kko3M2Lq5V+RT1v+zpzuoQeJ/Xn
-KfJ1bD9O54kJ47YAT+ohVzOxDCx2gMh6TLMPtWFZoB8+Ybf0ioEFJMPXOg==
+MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEGEinbMi+2yu4Rz4LUIoCXMtjl1M7
+ERj7wWSOaOII0+BzWzJzG12bdBHXmdEtlk9FkMNBKSWAEP2TfHlTUhPvjg==
 -----END PUBLIC KEY-----
diff --git a/system_files/shared/usr/etc/containers/registries.d/awesomekyle.yaml b/system_files/shared/usr/etc/containers/registries.d/awesomekyle.yaml
@@ -0,0 +1,3 @@
+docker:
+  ghcr.io/awesomekyle:
+    use-sigstore-attachments: true