the trick here is that startingpoint itself is signed with ublue-os key, but it's meant for users to

Bbsherman the trick here is that startingpoint itself is signed with ublue-os key, but it'...

G

Gerblesh•7/23/23, 5:15 AM

basically I just replace the instances of ghcr.io/ublue-os with the user's repo eg: ghcr.io/gerblesh, replace ublue-os.pub with cosign.pub, you get the idea

G

Gerblesh•7/23/23, 5:15 AM

it's just 3 sed commands

B

bshermanOP•7/23/23, 5:16 AM

and probably we don't want to remove (sed replace) the ublue-os info since doing so would prevent those users from rebasing back to a signed ublue-os image

G

Gerblesh•7/23/23, 5:16 AM

oh true

G

Gerblesh•7/23/23, 5:16 AM

hm

G

Gerblesh•7/23/23, 5:16 AM

is it possible to use jq to wrirte to it

B

bshermanOP•7/23/23, 5:16 AM

i mean, i don't normally contribute to startingpoint

so I'm happy to defer to others for the direction of that repo/image

just pointing out the concern I see there

Bbsherman i mean, i don't normally contribute to startingpoint 🙂 so I'm happy to defer to...

G

Gerblesh•7/23/23, 5:17 AM

no yeah I was thinking about that as well

G

Gerblesh•7/23/23, 5:17 AM

it makes sense if a user would want to rebase back to a uBlue image

G

Gerblesh•7/23/23, 5:18 AM

so maybe jq/yq?

B

bshermanOP•7/23/23, 5:20 AM

i wonder if we could add some dummy stanzas to the files in startingpoint

eg, in policy.json add

            "ghcr.io/IMAGE_REGISTRY": [
                {
                    "type": "sigstoreSigned",
                    "keyPath": "/usr/etc/pki/containers/IMAGE_REGISTRY.pub",
                    "signedIdentity": {
                        "type": "matchRepository"
                    }

            "ghcr.io/IMAGE_REGISTRY": [
                {
                    "type": "sigstoreSigned",
                    "keyPath": "/usr/etc/pki/containers/IMAGE_REGISTRY.pub",
                    "signedIdentity": {
                        "type": "matchRepository"
                    }

            "ghcr.io/IMAGE_REGISTRY": [
                {
                    "type": "sigstoreSigned",
                    "keyPath": "/usr/etc/pki/containers/IMAGE_REGISTRY.pub",
                    "signedIdentity": {
                        "type": "matchRepository"
                    }

            "ghcr.io/IMAGE_REGISTRY": [
                {
                    "type": "sigstoreSigned",
                    "keyPath": "/usr/etc/pki/containers/IMAGE_REGISTRY.pub",
                    "signedIdentity": {
                        "type": "matchRepository"
                    }

and also add something similar to

cosign.yaml

cosign.yaml

cosign.yaml

cosign.yaml

G

Gerblesh•7/23/23, 5:20 AM

i'd still want to keep in line with the upstream signing configs

B

bshermanOP•7/23/23, 5:20 AM

but if i was maintaing startingpoint, i'd want to use the files from

ublue-os/config

ublue-os/config

ublue-os/config

ublue-os/config and mutate them at build time, yeah

G

Gerblesh•7/23/23, 5:21 AM

yeah

G

Gerblesh•7/23/23, 5:21 AM

the registries.d is easy because I can just copy the file

B

bshermanOP•7/23/23, 5:22 AM

i'm not thrilled with the naming of

pki/containers/cosign.pub

pki/containers/cosign.pub

pki/containers/cosign.pub

pki/containers/cosign.pub

it's a bit generic

B

bshermanOP•7/23/23, 5:22 AM

i think it should be

ublue-os.pub

ublue-os.pub

ublue-os.pub

ublue-os.pub to match the registry... but i don't know if

registries.d/cosign.yaml

registries.d/cosign.yaml

registries.d/cosign.yaml

registries.d/cosign.yaml needs to match that or how it all works... i'm a bit new to this area

B

bshermanOP•7/23/23, 5:24 AM

i'll tinker with renaming that for a distinct PR

G

Gerblesh•7/23/23, 5:24 AM

idk I just was sticking with what was there before (cosign.pub in the root of the repo)

B

bshermanOP•7/23/23, 5:24 AM

right, i'm only suggesting that our ublue-os/config RPM could probably have improved, more specific naming.

G

Gerblesh•7/23/23, 5:24 AM

I'm honestly horrible with naming and I don't understand a lot of these configs so I probably shouldn't be touching much of it

B

bshermanOP•7/23/23, 5:24 AM

which would hopefully aid in supporting downstream images like startingpoint

B

bshermanOP•7/23/23, 5:30 AM

oh, ublue-os already has the better naming i'd hoped for

B

bshermanOP•7/23/23, 5:31 AM

i was misreading

K

Kyle Gospo•7/23/23, 5:31 AM

only downside is that rebasing from a stock image is a pain in the ass

B

bshermanOP•7/23/23, 5:31 AM

yay for small happy wins

K

Kyle Gospo•7/23/23, 5:31 AM

but it's as clean as we can make it imo

K

Kyle Gospo•7/23/23, 5:31 AM

podman pull ghcr.io/ublue-os/config && rpm-ostree install --assumeyes --apply-live --force-replacefiles $(find ~/.local/share/containers -name ublue-os-signing.noarch.rpm 2>/dev/null) && rpm-ostree rebase --uninstall $(rpm -q ublue-os-signing-* --queryformat '%{NAME}-%{VERSION}-%{RELEASE}.%{Arch}') ostree-image-signed:docker://ghcr.io/ublue-os/bazzite:latest

podman pull ghcr.io/ublue-os/config && rpm-ostree install --assumeyes --apply-live --force-replacefiles $(find ~/.local/share/containers -name ublue-os-signing.noarch.rpm 2>/dev/null) && rpm-ostree rebase --uninstall $(rpm -q ublue-os-signing-* --queryformat '%{NAME}-%{VERSION}-%{RELEASE}.%{Arch}') ostree-image-signed:docker://ghcr.io/ublue-os/bazzite:latest

podman pull ghcr.io/ublue-os/config && rpm-ostree install --assumeyes --apply-live --force-replacefiles $(find ~/.local/share/containers -name ublue-os-signing.noarch.rpm 2>/dev/null) && rpm-ostree rebase --uninstall $(rpm -q ublue-os-signing-* --queryformat '%{NAME}-%{VERSION}-%{RELEASE}.%{Arch}') ostree-image-signed:docker://ghcr.io/ublue-os/bazzite:latest

podman pull ghcr.io/ublue-os/config && rpm-ostree install --assumeyes --apply-live --force-replacefiles $(find ~/.local/share/containers -name ublue-os-signing.noarch.rpm 2>/dev/null) && rpm-ostree rebase --uninstall $(rpm -q ublue-os-signing-* --queryformat '%{NAME}-%{VERSION}-%{RELEASE}.%{Arch}') ostree-image-signed:docker://ghcr.io/ublue-os/bazzite:latest

K

Kyle Gospo•7/23/23, 5:32 AM

pull the rpm containing the keys, install it (with no reboot needed), then uninstall it and rebase at the same time

K

Kyle Gospo•7/23/23, 5:32 AM

now you're on a signed image

B

bshermanOP•7/23/23, 5:33 AM

right, the only way to improve that is 1) have an installer which provides this by default... or 2) provide the

ublue-os-signing.noarch.rpm

ublue-os-signing.noarch.rpm

ublue-os-signing.noarch.rpm

ublue-os-signing.noarch.rpm for users to install with

rpm-ostree install -A ublue-os-signing.noarch.rpm

rpm-ostree install -A ublue-os-signing.noarch.rpm

rpm-ostree install -A ublue-os-signing.noarch.rpm

rpm-ostree install -A ublue-os-signing.noarch.rpm then the rebase command should work...

well, that's what your one liner does

just it's scary to the average user

G

Gerblesh•7/23/23, 5:34 AM

huh

Bbsherman right, the only way to improve that is 1) have an installer which provides this ...

K

Kyle Gospo•7/23/23, 5:37 AM

shout out to @xkrith for that one

J

j0rge•7/23/23, 3:10 PM

@bsherman nices fixes this morning thank you, main's done and I kicked off nvidia

J

j0rge•7/23/23, 3:11 PM

<-- must have these improvements lol

Jj0rge <-- must have these improvements lol

B

bshermanOP•7/23/23, 4:57 PM

i just realized i probably should have incremented the version and done a changelog entry for the containers policy thing, but oh well

E

EyeCantCU•7/23/23, 6:47 PM

The horror of a spec file not having a changelog! What will we ever do

G

Gerblesh•7/23/23, 7:14 PM

@j0rge sorry, you merged a broken PR, I fixed it in my new one. Should've made it a draft, that was my bad

G

Gerblesh•7/23/23, 7:15 PM

basically it fixes jq not having inplace editing, variable substitution, and renames cosign,yaml and cosign.pub to match the repo name

G

Gerblesh•7/23/23, 7:16 PM

{
  "default": [
    {
      "type": "reject"
    }
  ],
  "transports": {
    "docker": {
      "registry.access.redhat.com": [
        {
          "type": "signedBy",
          "keyType": "GPGKeys",
          "keyPath": "/etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release"
        }
      ],
      "registry.redhat.io": [
        {
          "type": "signedBy",
          "keyType": "GPGKeys",
          "keyPath": "/etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release"
        }
      ],
      "ghcr.io/ublue-os": [
        {
          "type": "sigstoreSigned",
          "keyPath": "/usr/etc/pki/containers/ublue-os.pub",
          "signedIdentity": {
            "type": "matchRepository"
          }
        }
      ],
      "": [
        {
          "type": "insecureAcceptAnything"
        }
      ],
      "ghcr.io/gerblesh": [
        {
          "type": "sigstoreSigned",
          "keyPath": "/usr/etc/pki/containers/usway.pub",
          "signedIdentity": {
            "type": "matchRepository"
          }
        }
      ]
    },
    "docker-daemon": {
      "": [
        {
          "type": "insecureAcceptAnything"
        }
      ]
    },
    "atomic": {
      "": [
        {
          "type": "insecureAcceptAnything"
        }
      ]
    },
    "containers-storage": {
      "": [
        {
          "type": "insecureAcceptAnything"
        }
      ]
    },
    "dir": {
      "": [
        {
          "type": "insecureAcceptAnything"
        }
      ]
    },
    "oci": {
      "": [
        {
          "type": "insecureAcceptAnything"
        }
      ]
    },
    "tarball": {
      "": [
        {
          "type": "insecureAcceptAnything"
        }
      ]
    }
  }
}

{
  "default": [
    {
      "type": "reject"
    }
  ],
  "transports": {
    "docker": {
      "registry.access.redhat.com": [
        {
          "type": "signedBy",
          "keyType": "GPGKeys",
          "keyPath": "/etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release"
        }
      ],
      "registry.redhat.io": [
        {
          "type": "signedBy",
          "keyType": "GPGKeys",
          "keyPath": "/etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release"
        }
      ],
      "ghcr.io/ublue-os": [
        {
          "type": "sigstoreSigned",
          "keyPath": "/usr/etc/pki/containers/ublue-os.pub",
          "signedIdentity": {
            "type": "matchRepository"
          }
        }
      ],
      "": [
        {
          "type": "insecureAcceptAnything"
        }
      ],
      "ghcr.io/gerblesh": [
        {
          "type": "sigstoreSigned",
          "keyPath": "/usr/etc/pki/containers/usway.pub",
          "signedIdentity": {
            "type": "matchRepository"
          }
        }
      ]
    },
    "docker-daemon": {
      "": [
        {
          "type": "insecureAcceptAnything"
        }
      ]
    },
    "atomic": {
      "": [
        {
          "type": "insecureAcceptAnything"
        }
      ]
    },
    "containers-storage": {
      "": [
        {
          "type": "insecureAcceptAnything"
        }
      ]
    },
    "dir": {
      "": [
        {
          "type": "insecureAcceptAnything"
        }
      ]
    },
    "oci": {
      "": [
        {
          "type": "insecureAcceptAnything"
        }
      ]
    },
    "tarball": {
      "": [
        {
          "type": "insecureAcceptAnything"
        }
      ]
    }
  }
}

{
  "default": [
    {
      "type": "reject"
    }
  ],
  "transports": {
    "docker": {
      "registry.access.redhat.com": [
        {
          "type": "signedBy",
          "keyType": "GPGKeys",
          "keyPath": "/etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release"
        }
      ],
      "registry.redhat.io": [
        {
          "type": "signedBy",
          "keyType": "GPGKeys",
          "keyPath": "/etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release"
        }
      ],
      "ghcr.io/ublue-os": [
        {
          "type": "sigstoreSigned",
          "keyPath": "/usr/etc/pki/containers/ublue-os.pub",
          "signedIdentity": {
            "type": "matchRepository"
          }
        }
      ],
      "": [
        {
          "type": "insecureAcceptAnything"
        }
      ],
      "ghcr.io/gerblesh": [
        {
          "type": "sigstoreSigned",
          "keyPath": "/usr/etc/pki/containers/usway.pub",
          "signedIdentity": {
            "type": "matchRepository"
          }
        }
      ]
    },
    "docker-daemon": {
      "": [
        {
          "type": "insecureAcceptAnything"
        }
      ]
    },
    "atomic": {
      "": [
        {
          "type": "insecureAcceptAnything"
        }
      ]
    },
    "containers-storage": {
      "": [
        {
          "type": "insecureAcceptAnything"
        }
      ]
    },
    "dir": {
      "": [
        {
          "type": "insecureAcceptAnything"
        }
      ]
    },
    "oci": {
      "": [
        {
          "type": "insecureAcceptAnything"
        }
      ]
    },
    "tarball": {
      "": [
        {
          "type": "insecureAcceptAnything"
        }
      ]
    }
  }
}

{
  "default": [
    {
      "type": "reject"
    }
  ],
  "transports": {
    "docker": {
      "registry.access.redhat.com": [
        {
          "type": "signedBy",
          "keyType": "GPGKeys",
          "keyPath": "/etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release"
        }
      ],
      "registry.redhat.io": [
        {
          "type": "signedBy",
          "keyType": "GPGKeys",
          "keyPath": "/etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release"
        }
      ],
      "ghcr.io/ublue-os": [
        {
          "type": "sigstoreSigned",
          "keyPath": "/usr/etc/pki/containers/ublue-os.pub",
          "signedIdentity": {
            "type": "matchRepository"
          }
        }
      ],
      "": [
        {
          "type": "insecureAcceptAnything"
        }
      ],
      "ghcr.io/gerblesh": [
        {
          "type": "sigstoreSigned",
          "keyPath": "/usr/etc/pki/containers/usway.pub",
          "signedIdentity": {
            "type": "matchRepository"
          }
        }
      ]
    },
    "docker-daemon": {
      "": [
        {
          "type": "insecureAcceptAnything"
        }
      ]
    },
    "atomic": {
      "": [
        {
          "type": "insecureAcceptAnything"
        }
      ]
    },
    "containers-storage": {
      "": [
        {
          "type": "insecureAcceptAnything"
        }
      ]
    },
    "dir": {
      "": [
        {
          "type": "insecureAcceptAnything"
        }
      ]
    },
    "oci": {
      "": [
        {
          "type": "insecureAcceptAnything"
        }
      ]
    },
    "tarball": {
      "": [
        {
          "type": "insecureAcceptAnything"
        }
      ]
    }
  }
}

GGerblesh ``` { "default": [ { "type": "reject" } ], "transports": { ...

G

Gerblesh•7/23/23, 7:16 PM

idk if this is right, is it fine that the custom repo comes after the blank string?

G

Gerblesh•7/23/23, 7:17 PM

anyhow I gotta get going, sorry for making a broken PR and not marking it as draft

J

j0rge•7/23/23, 8:26 PM

ok I reverted, there's a conflict you need to resolve

GGerblesh anyhow I gotta get going, sorry for making a broken PR and not marking it as dra...

J

j0rge•7/23/23, 8:48 PM

no need to apologize, that's what git is for. walters just responded to my email, he's hoping to document the situation better this week, they were dealing with a higher priority issue last week.

GGerblesh idk if this is right, is it fine that the custom repo comes after the blank stri...

G

Gerblesh•7/24/23, 2:48 AM

does anyone know if the order matters?

J

j0rge•7/24/23, 2:53 AM

@bsherman @KyleGospo hey rando idea

J

j0rge•7/24/23, 2:54 AM

conceptually, since we're building akmods in that repo, couldn't we build nvidia there and then have the nvidia images build out of main?

R

Robert•7/24/23, 5:40 AM

That's what I've been doing for a while now, and it works great.

The only thing I am wanting to do is split the builds to be grouped by Fedora version. E.g. make sure 38-Nvidia does not depend on 37 builds

Jj0rge conceptually, since we're building akmods in that repo, couldn't we build nvidia...

K

Kyle Gospo•7/24/23, 6:12 AM

I'm not super familiar with how nvidia is built, but certainly we could host the kmod portion there

K

Kyle Gospo•7/24/23, 6:31 AM

@bsherman build errors on akmods are from Kernel 6.4, Gasket driver needed an update

the trick here is that startingpoint itself is signed with ublue-os key, but it's meant for users to

Similar Threads