basically making it rely on the upstream signing configs

GGerblesh basically making it rely on the upstream signing configs

B

bsherman•7/23/23, 5:14 AM

the trick here is that startingpoint itself is signed with ublue-os key, but it's meant for users to make their own (eg, my own image is signed with a personal key)...

so the policy file needs to be managed by downstream user builds and have their own bits injected

Bbsherman the trick here is that startingpoint itself is signed with ublue-os key, but it'...

G

GerbleshOP•7/23/23, 5:15 AM

basically I just replace the instances of ghcr.io/ublue-os with the user's repo eg: ghcr.io/gerblesh, replace ublue-os.pub with cosign.pub, you get the idea

G

GerbleshOP•7/23/23, 5:15 AM

it's just 3 sed commands

B

bsherman•7/23/23, 5:16 AM

and probably we don't want to remove (sed replace) the ublue-os info since doing so would prevent those users from rebasing back to a signed ublue-os image

G

GerbleshOP•7/23/23, 5:16 AM

oh true

G

GerbleshOP•7/23/23, 5:16 AM

hm

G

GerbleshOP•7/23/23, 5:16 AM

is it possible to use jq to wrirte to it

B

bsherman•7/23/23, 5:16 AM

i mean, i don't normally contribute to startingpoint

so I'm happy to defer to others for the direction of that repo/image

just pointing out the concern I see there

Bbsherman i mean, i don't normally contribute to startingpoint 🙂 so I'm happy to defer to...

G

GerbleshOP•7/23/23, 5:17 AM

no yeah I was thinking about that as well

G

GerbleshOP•7/23/23, 5:17 AM

it makes sense if a user would want to rebase back to a uBlue image

G

GerbleshOP•7/23/23, 5:18 AM

so maybe jq/yq?

B

bsherman•7/23/23, 5:20 AM

i wonder if we could add some dummy stanzas to the files in startingpoint

eg, in policy.json add

            "ghcr.io/IMAGE_REGISTRY": [
                {
                    "type": "sigstoreSigned",
                    "keyPath": "/usr/etc/pki/containers/IMAGE_REGISTRY.pub",
                    "signedIdentity": {
                        "type": "matchRepository"
                    }

            "ghcr.io/IMAGE_REGISTRY": [
                {
                    "type": "sigstoreSigned",
                    "keyPath": "/usr/etc/pki/containers/IMAGE_REGISTRY.pub",
                    "signedIdentity": {
                        "type": "matchRepository"
                    }

            "ghcr.io/IMAGE_REGISTRY": [
                {
                    "type": "sigstoreSigned",
                    "keyPath": "/usr/etc/pki/containers/IMAGE_REGISTRY.pub",
                    "signedIdentity": {
                        "type": "matchRepository"
                    }

            "ghcr.io/IMAGE_REGISTRY": [
                {
                    "type": "sigstoreSigned",
                    "keyPath": "/usr/etc/pki/containers/IMAGE_REGISTRY.pub",
                    "signedIdentity": {
                        "type": "matchRepository"
                    }

and also add something similar to

cosign.yaml

cosign.yaml

G

GerbleshOP•7/23/23, 5:20 AM

i'd still want to keep in line with the upstream signing configs

B

bsherman•7/23/23, 5:20 AM

but if i was maintaing startingpoint, i'd want to use the files from

ublue-os/config

ublue-os/config

and mutate them at build time, yeah

G

GerbleshOP•7/23/23, 5:21 AM

yeah

G

GerbleshOP•7/23/23, 5:21 AM

the registries.d is easy because I can just copy the file

B

bsherman•7/23/23, 5:22 AM

i'm not thrilled with the naming of

pki/containers/cosign.pub

pki/containers/cosign.pub

it's a bit generic

B

bsherman•7/23/23, 5:22 AM

i think it should be

ublue-os.pub

ublue-os.pub

to match the registry... but i don't know if

registries.d/cosign.yaml

registries.d/cosign.yaml

needs to match that or how it all works... i'm a bit new to this area

B

bsherman•7/23/23, 5:24 AM

i'll tinker with renaming that for a distinct PR

G

GerbleshOP•7/23/23, 5:24 AM

idk I just was sticking with what was there before (cosign.pub in the root of the repo)

B

bsherman•7/23/23, 5:24 AM

right, i'm only suggesting that our ublue-os/config RPM could probably have improved, more specific naming.

G

GerbleshOP•7/23/23, 5:24 AM

I'm honestly horrible with naming and I don't understand a lot of these configs so I probably shouldn't be touching much of it

B

bsherman•7/23/23, 5:24 AM

which would hopefully aid in supporting downstream images like startingpoint

B

bsherman•7/23/23, 5:30 AM

oh, ublue-os already has the better naming i'd hoped for

B

bsherman•7/23/23, 5:31 AM

i was misreading

K

Kyle Gospo•7/23/23, 5:31 AM

only downside is that rebasing from a stock image is a pain in the ass

B

bsherman•7/23/23, 5:31 AM

yay for small happy wins

K

Kyle Gospo•7/23/23, 5:31 AM

but it's as clean as we can make it imo

K

Kyle Gospo•7/23/23, 5:31 AM

podman pull ghcr.io/ublue-os/config && rpm-ostree install --assumeyes --apply-live --force-replacefiles $(find ~/.local/share/containers -name ublue-os-signing.noarch.rpm 2>/dev/null) && rpm-ostree rebase --uninstall $(rpm -q ublue-os-signing-* --queryformat '%{NAME}-%{VERSION}-%{RELEASE}.%{Arch}') ostree-image-signed:docker://ghcr.io/ublue-os/bazzite:latest

podman pull ghcr.io/ublue-os/config && rpm-ostree install --assumeyes --apply-live --force-replacefiles $(find ~/.local/share/containers -name ublue-os-signing.noarch.rpm 2>/dev/null) && rpm-ostree rebase --uninstall $(rpm -q ublue-os-signing-* --queryformat '%{NAME}-%{VERSION}-%{RELEASE}.%{Arch}') ostree-image-signed:docker://ghcr.io/ublue-os/bazzite:latest

podman pull ghcr.io/ublue-os/config && rpm-ostree install --assumeyes --apply-live --force-replacefiles $(find ~/.local/share/containers -name ublue-os-signing.noarch.rpm 2>/dev/null) && rpm-ostree rebase --uninstall $(rpm -q ublue-os-signing-* --queryformat '%{NAME}-%{VERSION}-%{RELEASE}.%{Arch}') ostree-image-signed:docker://ghcr.io/ublue-os/bazzite:latest

podman pull ghcr.io/ublue-os/config && rpm-ostree install --assumeyes --apply-live --force-replacefiles $(find ~/.local/share/containers -name ublue-os-signing.noarch.rpm 2>/dev/null) && rpm-ostree rebase --uninstall $(rpm -q ublue-os-signing-* --queryformat '%{NAME}-%{VERSION}-%{RELEASE}.%{Arch}') ostree-image-signed:docker://ghcr.io/ublue-os/bazzite:latest

K

Kyle Gospo•7/23/23, 5:32 AM

pull the rpm containing the keys, install it (with no reboot needed), then uninstall it and rebase at the same time

K

Kyle Gospo•7/23/23, 5:32 AM

now you're on a signed image

B

bsherman•7/23/23, 5:33 AM

right, the only way to improve that is 1) have an installer which provides this by default... or 2) provide the

ublue-os-signing.noarch.rpm

ublue-os-signing.noarch.rpm

for users to install with

rpm-ostree install -A ublue-os-signing.noarch.rpm

rpm-ostree install -A ublue-os-signing.noarch.rpm

then the rebase command should work...

well, that's what your one liner does

just it's scary to the average user

G

GerbleshOP•7/23/23, 5:34 AM

huh

Bbsherman right, the only way to improve that is 1) have an installer which provides this ...

K

Kyle Gospo•7/23/23, 5:37 AM

shout out to @xkrith for that one

J

j0rge•7/23/23, 3:10 PM

@bsherman nices fixes this morning thank you, main's done and I kicked off nvidia

J

j0rge•7/23/23, 3:11 PM

<-- must have these improvements lol

Jj0rge <-- must have these improvements lol

B

bsherman•7/23/23, 4:57 PM

i just realized i probably should have incremented the version and done a changelog entry for the containers policy thing, but oh well

E

EyeCantCU•7/23/23, 6:47 PM

The horror of a spec file not having a changelog! What will we ever do

G

GerbleshOP•7/23/23, 7:14 PM

@j0rge sorry, you merged a broken PR, I fixed it in my new one. Should've made it a draft, that was my bad

G

GerbleshOP•7/23/23, 7:15 PM

basically it fixes jq not having inplace editing, variable substitution, and renames cosign,yaml and cosign.pub to match the repo name

G

GerbleshOP•7/23/23, 7:16 PM

{
  "default": [
    {
      "type": "reject"
    }
  ],
  "transports": {
    "docker": {
      "registry.access.redhat.com": [
        {
          "type": "signedBy",
          "keyType": "GPGKeys",
          "keyPath": "/etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release"
        }
      ],
      "registry.redhat.io": [
        {
          "type": "signedBy",
          "keyType": "GPGKeys",
          "keyPath": "/etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release"
        }
      ],
      "ghcr.io/ublue-os": [
        {
          "type": "sigstoreSigned",
          "keyPath": "/usr/etc/pki/containers/ublue-os.pub",
          "signedIdentity": {
            "type": "matchRepository"
          }
        }
      ],
      "": [
        {
          "type": "insecureAcceptAnything"
        }
      ],
      "ghcr.io/gerblesh": [
        {
          "type": "sigstoreSigned",
          "keyPath": "/usr/etc/pki/containers/usway.pub",
          "signedIdentity": {
            "type": "matchRepository"
          }
        }
      ]
    },
    "docker-daemon": {
      "": [
        {
          "type": "insecureAcceptAnything"
        }
      ]
    },
    "atomic": {
      "": [
        {
          "type": "insecureAcceptAnything"
        }
      ]
    },
    "containers-storage": {
      "": [
        {
          "type": "insecureAcceptAnything"
        }
      ]
    },
    "dir": {
      "": [
        {
          "type": "insecureAcceptAnything"
        }
      ]
    },
    "oci": {
      "": [
        {
          "type": "insecureAcceptAnything"
        }
      ]
    },
    "tarball": {
      "": [
        {
          "type": "insecureAcceptAnything"
        }
      ]
    }
  }
}

{
  "default": [
    {
      "type": "reject"
    }
  ],
  "transports": {
    "docker": {
      "registry.access.redhat.com": [
        {
          "type": "signedBy",
          "keyType": "GPGKeys",
          "keyPath": "/etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release"
        }
      ],
      "registry.redhat.io": [
        {
          "type": "signedBy",
          "keyType": "GPGKeys",
          "keyPath": "/etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release"
        }
      ],
      "ghcr.io/ublue-os": [
        {
          "type": "sigstoreSigned",
          "keyPath": "/usr/etc/pki/containers/ublue-os.pub",
          "signedIdentity": {
            "type": "matchRepository"
          }
        }
      ],
      "": [
        {
          "type": "insecureAcceptAnything"
        }
      ],
      "ghcr.io/gerblesh": [
        {
          "type": "sigstoreSigned",
          "keyPath": "/usr/etc/pki/containers/usway.pub",
          "signedIdentity": {
            "type": "matchRepository"
          }
        }
      ]
    },
    "docker-daemon": {
      "": [
        {
          "type": "insecureAcceptAnything"
        }
      ]
    },
    "atomic": {
      "": [
        {
          "type": "insecureAcceptAnything"
        }
      ]
    },
    "containers-storage": {
      "": [
        {
          "type": "insecureAcceptAnything"
        }
      ]
    },
    "dir": {
      "": [
        {
          "type": "insecureAcceptAnything"
        }
      ]
    },
    "oci": {
      "": [
        {
          "type": "insecureAcceptAnything"
        }
      ]
    },
    "tarball": {
      "": [
        {
          "type": "insecureAcceptAnything"
        }
      ]
    }
  }
}

{
  "default": [
    {
      "type": "reject"
    }
  ],
  "transports": {
    "docker": {
      "registry.access.redhat.com": [
        {
          "type": "signedBy",
          "keyType": "GPGKeys",
          "keyPath": "/etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release"
        }
      ],
      "registry.redhat.io": [
        {
          "type": "signedBy",
          "keyType": "GPGKeys",
          "keyPath": "/etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release"
        }
      ],
      "ghcr.io/ublue-os": [
        {
          "type": "sigstoreSigned",
          "keyPath": "/usr/etc/pki/containers/ublue-os.pub",
          "signedIdentity": {
            "type": "matchRepository"
          }
        }
      ],
      "": [
        {
          "type": "insecureAcceptAnything"
        }
      ],
      "ghcr.io/gerblesh": [
        {
          "type": "sigstoreSigned",
          "keyPath": "/usr/etc/pki/containers/usway.pub",
          "signedIdentity": {
            "type": "matchRepository"
          }
        }
      ]
    },
    "docker-daemon": {
      "": [
        {
          "type": "insecureAcceptAnything"
        }
      ]
    },
    "atomic": {
      "": [
        {
          "type": "insecureAcceptAnything"
        }
      ]
    },
    "containers-storage": {
      "": [
        {
          "type": "insecureAcceptAnything"
        }
      ]
    },
    "dir": {
      "": [
        {
          "type": "insecureAcceptAnything"
        }
      ]
    },
    "oci": {
      "": [
        {
          "type": "insecureAcceptAnything"
        }
      ]
    },
    "tarball": {
      "": [
        {
          "type": "insecureAcceptAnything"
        }
      ]
    }
  }
}

{
  "default": [
    {
      "type": "reject"
    }
  ],
  "transports": {
    "docker": {
      "registry.access.redhat.com": [
        {
          "type": "signedBy",
          "keyType": "GPGKeys",
          "keyPath": "/etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release"
        }
      ],
      "registry.redhat.io": [
        {
          "type": "signedBy",
          "keyType": "GPGKeys",
          "keyPath": "/etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release"
        }
      ],
      "ghcr.io/ublue-os": [
        {
          "type": "sigstoreSigned",
          "keyPath": "/usr/etc/pki/containers/ublue-os.pub",
          "signedIdentity": {
            "type": "matchRepository"
          }
        }
      ],
      "": [
        {
          "type": "insecureAcceptAnything"
        }
      ],
      "ghcr.io/gerblesh": [
        {
          "type": "sigstoreSigned",
          "keyPath": "/usr/etc/pki/containers/usway.pub",
          "signedIdentity": {
            "type": "matchRepository"
          }
        }
      ]
    },
    "docker-daemon": {
      "": [
        {
          "type": "insecureAcceptAnything"
        }
      ]
    },
    "atomic": {
      "": [
        {
          "type": "insecureAcceptAnything"
        }
      ]
    },
    "containers-storage": {
      "": [
        {
          "type": "insecureAcceptAnything"
        }
      ]
    },
    "dir": {
      "": [
        {
          "type": "insecureAcceptAnything"
        }
      ]
    },
    "oci": {
      "": [
        {
          "type": "insecureAcceptAnything"
        }
      ]
    },
    "tarball": {
      "": [
        {
          "type": "insecureAcceptAnything"
        }
      ]
    }
  }
}

GGerblesh ``` { "default": [ { "type": "reject" } ], "transports": { ...

G

GerbleshOP•7/23/23, 7:16 PM

idk if this is right, is it fine that the custom repo comes after the blank string?

G

GerbleshOP•7/23/23, 7:17 PM

anyhow I gotta get going, sorry for making a broken PR and not marking it as draft

J

j0rge•7/23/23, 8:26 PM

ok I reverted, there's a conflict you need to resolve

GGerblesh anyhow I gotta get going, sorry for making a broken PR and not marking it as dra...

J

j0rge•7/23/23, 8:48 PM

no need to apologize, that's what git is for. walters just responded to my email, he's hoping to document the situation better this week, they were dealing with a higher priority issue last week.

GGerblesh idk if this is right, is it fine that the custom repo comes after the blank stri...

G

GerbleshOP•7/24/23, 2:48 AM

does anyone know if the order matters?

J

j0rge•7/24/23, 2:53 AM

@bsherman @KyleGospo hey rando idea

J

j0rge•7/24/23, 2:54 AM

conceptually, since we're building akmods in that repo, couldn't we build nvidia there and then have the nvidia images build out of main?

R

Robert•7/24/23, 5:40 AM

That's what I've been doing for a while now, and it works great.

The only thing I am wanting to do is split the builds to be grouped by Fedora version. E.g. make sure 38-Nvidia does not depend on 37 builds

Jj0rge conceptually, since we're building akmods in that repo, couldn't we build nvidia...

K

Kyle Gospo•7/24/23, 6:12 AM

I'm not super familiar with how nvidia is built, but certainly we could host the kmod portion there

basically making it rely on the upstream signing configs

Similar Threads

Similar Threads

Similar Threads