From b9ce64f97380caff1565f49ec3fd9bec56d2d518 Mon Sep 17 00:00:00 2001 From: fiftydinar <65243233+fiftydinar@users.noreply.github.com> Date: Sat, 7 Dec 2024 21:15:44 +0100 Subject: [PATCH 1/4] chore(signing): Switch fully from `/usr/etc/` to `/etc/` Fixes: #319 I only tested this in non-Universal Blue image. With & without rechunk. Before: ``` [11:39:42 g.i/h/rechunk:v1.0.1] => WARNING: FOUND /usr/etc. MERGING TO ETC FOR COMPATIBILITY [11:39:42 g.i/h/rechunk:v1.0.1] => EXPECT PERMISSIONS ISSUES ON THE MERGED PATHS [11:39:42 g.i/h/rechunk:v1.0.1] => The following files from /usr/etc will be merged to /etc: [11:39:42 g.i/h/rechunk:v1.0.1] => ./usr/etc [11:39:42 g.i/h/rechunk:v1.0.1] => |-- containers [11:39:42 g.i/h/rechunk:v1.0.1] => | |-- policy.json [11:39:42 g.i/h/rechunk:v1.0.1] => | `-- registries.d [11:39:42 g.i/h/rechunk:v1.0.1] => | `-- gidro-os.yaml [11:39:42 g.i/h/rechunk:v1.0.1] => `-- pki [11:39:42 g.i/h/rechunk:v1.0.1] => `-- containers [11:39:42 g.i/h/rechunk:v1.0.1] => `-- gidro-os.pub [11:39:42 g.i/h/rechunk:v1.0.1] => [11:39:42 g.i/h/rechunk:v1.0.1] => 5 directories, 3 files ``` After: ``` [18:26:31 g.i/h/rechunk:v1.0.1] => WARNING: FOUND /usr/etc. MERGING TO ETC FOR COMPATIBILITY [18:26:31 g.i/h/rechunk:v1.0.1] => EXPECT PERMISSIONS ISSUES ON THE MERGED PATHS [18:26:31 g.i/h/rechunk:v1.0.1] => The following files from /usr/etc will be merged to /etc: [18:26:31 g.i/h/rechunk:v1.0.1] => ./usr/etc [18:26:31 g.i/h/rechunk:v1.0.1] => `-- pki [18:26:31 g.i/h/rechunk:v1.0.1] => `-- containers [18:26:31 g.i/h/rechunk:v1.0.1] => `-- gidro-os.pub [18:26:31 g.i/h/rechunk:v1.0.1] => [18:26:31 g.i/h/rechunk:v1.0.1] => 3 directories, 1 file ``` Only thing remaining is to see if copying .pub keys to `/etc/` only will work, as it caused issues before. That would get rid of all files in `/usr/etc/`. https://github.com/blue-build/cli/blob/a8cac2adc90fa842e4565bc1825e588df4f5bcbd/template/templates/Containerfile.j2#L26 --- modules/signing/signing.sh | 43 +++++++++++++++++--------------------- 1 file changed, 19 insertions(+), 24 deletions(-) diff --git a/modules/signing/signing.sh b/modules/signing/signing.sh index f1565a6b..c68ae55d 100644 --- a/modules/signing/signing.sh +++ b/modules/signing/signing.sh @@ -3,40 +3,35 @@ # Tell build process to exit if there are any errors. set -euo pipefail -# Don't migrate this module from utilizing `/usr/etc/` to `/etc/` yet, as Ublue needs to solve this issue -# https://github.com/ublue-os/config/pull/311 -CONTAINER_DIR="/usr/etc/containers" +CONTAINER_DIR="/etc/containers" MODULE_DIRECTORY="${MODULE_DIRECTORY:-"/tmp/modules"}" IMAGE_NAME_FILE="${IMAGE_NAME//\//_}" -echo "Setting up container signing in policy.json and cosign.yaml for $IMAGE_NAME" -echo "Registry to write: $IMAGE_REGISTRY" +echo "Setting up container signing in policy.json and cosign.yaml for ${IMAGE_NAME}" +echo "Registry to write: ${IMAGE_REGISTRY}" -if ! [ -d "$CONTAINER_DIR" ]; then - mkdir -p "$CONTAINER_DIR" +if ! [ -d "${CONTAINER_DIR}" ]; then + mkdir -p "${CONTAINER_DIR}" fi -if ! [ -d $CONTAINER_DIR/registries.d ]; then - mkdir -p "$CONTAINER_DIR/registries.d" +if ! [ -d "${CONTAINER_DIR}/registries.d" ]; then + mkdir -p "${CONTAINER_DIR}/registries.d" fi -if ! [ -d "/usr/etc/pki/containers" ]; then - mkdir -p "/usr/etc/pki/containers" +if ! [ -d "/etc/pki/containers" ]; then + mkdir -p "/etc/pki/containers" fi -if ! [ -f "$CONTAINER_DIR/policy.json" ]; then - cp "$MODULE_DIRECTORY/signing/policy.json" "$CONTAINER_DIR/policy.json" +if ! [ -f "/etc/pki/containers/${IMAGE_NAME_FILE}.pub" ]; then + cp "/usr/share/ublue-os/cosign.pub" "/etc/pki/containers/${IMAGE_NAME_FILE}.pub" fi -if ! [ -f "/usr/etc/pki/containers/$IMAGE_NAME_FILE.pub" ]; then - cp "/usr/share/ublue-os/cosign.pub" "/usr/etc/pki/containers/$IMAGE_NAME_FILE.pub" -fi - -POLICY_FILE="$CONTAINER_DIR/policy.json" +TEMPLATE_POLICY="${MODULE_DIRECTORY}/signing/policy.json" +POLICY_FILE="${CONTAINER_DIR}/policy.json" -jq --arg image_registry "$IMAGE_REGISTRY" \ - --arg image_name "$IMAGE_NAME" \ - --arg image_name_file "$IMAGE_NAME_FILE" \ +jq --arg image_registry "${IMAGE_REGISTRY}" \ + --arg image_name "${IMAGE_NAME}" \ + --arg image_name_file "${IMAGE_NAME_FILE}" \ '.transports.docker |= { ($image_registry + "/" + $image_name): [ { @@ -46,7 +41,7 @@ jq --arg image_registry "$IMAGE_REGISTRY" \ "type": "matchRepository" } } - ] } + .' "$POLICY_FILE" > /tmp/tmp-policy.json && mv /tmp/tmp-policy.json "$POLICY_FILE" + ] } + .' "${TEMPLATE_POLICY}" > "${POLICY_FILE}" -mv "$MODULE_DIRECTORY/signing/registry-config.yaml" "$CONTAINER_DIR/registries.d/$IMAGE_NAME_FILE.yaml" -sed -i "s ghcr.io/IMAGENAME $IMAGE_REGISTRY g" "$CONTAINER_DIR/registries.d/$IMAGE_NAME_FILE.yaml" +mv "${MODULE_DIRECTORY}/signing/registry-config.yaml" "${CONTAINER_DIR}/registries.d/${IMAGE_NAME_FILE}.yaml" +sed -i "s ghcr.io/IMAGENAME ${IMAGE_REGISTRY} g" "${CONTAINER_DIR}/registries.d/${IMAGE_NAME_FILE}.yaml" From 8b0d034f45296fe737d571885ae33e52df97b215 Mon Sep 17 00:00:00 2001 From: fiftydinar <65243233+fiftydinar@users.noreply.github.com> Date: Sat, 7 Dec 2024 22:24:09 +0100 Subject: [PATCH 2/4] fix(signing): Error-out on missing image cosign key --- modules/signing/signing.sh | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/modules/signing/signing.sh b/modules/signing/signing.sh index c68ae55d..5d0c1bd1 100644 --- a/modules/signing/signing.sh +++ b/modules/signing/signing.sh @@ -23,7 +23,9 @@ if ! [ -d "/etc/pki/containers" ]; then fi if ! [ -f "/etc/pki/containers/${IMAGE_NAME_FILE}.pub" ]; then - cp "/usr/share/ublue-os/cosign.pub" "/etc/pki/containers/${IMAGE_NAME_FILE}.pub" + echo "ERROR: Cannot find '.pub' image key in '/etc/pki/containers/'" + echo " BlueBuild CLI should have copied it, but it didn't" + exit 1 fi TEMPLATE_POLICY="${MODULE_DIRECTORY}/signing/policy.json" From d4966694b401022dd7b008d3a0d9448b3a51d5c9 Mon Sep 17 00:00:00 2001 From: fiftydinar <65243233+fiftydinar@users.noreply.github.com> Date: Sat, 7 Dec 2024 22:29:49 +0100 Subject: [PATCH 3/4] chore(signing): More descriptive log about missing image key --- modules/signing/signing.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/signing/signing.sh b/modules/signing/signing.sh index 5d0c1bd1..057e0b7d 100644 --- a/modules/signing/signing.sh +++ b/modules/signing/signing.sh @@ -23,7 +23,7 @@ if ! [ -d "/etc/pki/containers" ]; then fi if ! [ -f "/etc/pki/containers/${IMAGE_NAME_FILE}.pub" ]; then - echo "ERROR: Cannot find '.pub' image key in '/etc/pki/containers/'" + echo "ERROR: Cannot find '${IMAGE_NAME_FILE}.pub' image key in '/etc/pki/containers/'" echo " BlueBuild CLI should have copied it, but it didn't" exit 1 fi From be33047b77cb3b036365392bcae5cc45d28bb5f4 Mon Sep 17 00:00:00 2001 From: fiftydinar <65243233+fiftydinar@users.noreply.github.com> Date: Sun, 8 Dec 2024 22:52:21 +0100 Subject: [PATCH 4/4] chore(signing): Copy `policy.json` to `/usr/etc/` in Universal Blue images --- modules/signing/signing.sh | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/modules/signing/signing.sh b/modules/signing/signing.sh index 057e0b7d..23f324a2 100644 --- a/modules/signing/signing.sh +++ b/modules/signing/signing.sh @@ -29,7 +29,13 @@ if ! [ -f "/etc/pki/containers/${IMAGE_NAME_FILE}.pub" ]; then fi TEMPLATE_POLICY="${MODULE_DIRECTORY}/signing/policy.json" -POLICY_FILE="${CONTAINER_DIR}/policy.json" +# Copy policy.json to '/usr/etc/containers/' on Universal Blue based images +# until they solve the issue by copying 'policy.json' to '/etc/containers/' instead +if rpm -q ublue-os-signing &>/dev/null; then + POLICY_FILE="/usr/etc/containers/policy.json" +else + POLICY_FILE="${CONTAINER_DIR}/policy.json" +fi jq --arg image_registry "${IMAGE_REGISTRY}" \ --arg image_name "${IMAGE_NAME}" \