Skip to content

Commit

Permalink
chore: Switch signing to use /etc/ & use jq instead of yq
Browse files Browse the repository at this point in the history 
Related: secureblue/secureblue#657
  • Loading branch information
@fiftydinar
fiftydinar authored Dec 9, 2024
1 parent 7f6bf02 commit 2a585d0
Showing 1 changed file with 16 additions and 19 deletions.
35 changes: 16 additions & 19 deletions modules/wayblue-signing/wayblue-signing.sh
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@
# Tell build process to exit if there are any errors.
set -euo pipefail

CONTAINER_DIR="/usr/etc/containers"
CONTAINER_DIR="/etc/containers"
MODULE_DIRECTORY="${MODULE_DIRECTORY:-"/tmp/modules"}"
IMAGE_NAME_FILE="${IMAGE_NAME//\//_}"
IMAGE_REGISTRY_TITLE=$(echo "$IMAGE_REGISTRY" | cut -d'/' -f2-)
Expand All @@ -19,30 +19,27 @@ if ! [ -d $CONTAINER_DIR/registries.d ]; then
mkdir -p "$CONTAINER_DIR/registries.d"
fi

if ! [ -d "/usr/etc/pki/containers" ]; then
mkdir -p "/usr/etc/pki/containers"
if ! [ -d "/etc/pki/containers" ]; then
mkdir -p "/etc/pki/containers"
fi

if ! [ -f "$CONTAINER_DIR/policy.json" ]; then
cp "$MODULE_DIRECTORY/signing/policy.json" "$CONTAINER_DIR/policy.json"
fi

mv "/usr/etc/pki/containers/$IMAGE_NAME.pub" "/usr/etc/pki/containers/$IMAGE_REGISTRY_TITLE.pub"
mv "/etc/pki/containers/$IMAGE_NAME.pub" "/etc/pki/containers/$IMAGE_REGISTRY_TITLE.pub"

TEMPLATE_POLICY="$MODULE_DIRECTORY/signing/policy.json"
POLICY_FILE="$CONTAINER_DIR/policy.json"

yq -i -o=j '.transports.docker |=
{"'"$IMAGE_REGISTRY"'": [
{
"type": "sigstoreSigned",
"keyPath": "/usr/etc/pki/containers/'"$IMAGE_REGISTRY_TITLE"'.pub",
"signedIdentity": {
"type": "matchRepository"
}
jq --arg image_registry "${IMAGE_REGISTRY}" \
--arg image_registry_title "${IMAGE_REGISTRY_TITLE}" \
'.transports.docker |=
{ $image_registry: [
{
"type": "sigstoreSigned",
"keyPath": ("/etc/pki/containers/" + $image_registry_title + ".pub"),
"signedIdentity": {
"type": "matchRepository"
}
]
}
+ .' "$POLICY_FILE"
}
] } + .' "${TEMPLATE_POLICY}" > "${POLICY_FILE}"

mv "$MODULE_DIRECTORY/signing/registry-config.yaml" "$CONTAINER_DIR/registries.d/$IMAGE_REGISTRY_TITLE.yaml"
sed -i "s ghcr.io/IMAGENAME $IMAGE_REGISTRY g" "$CONTAINER_DIR/registries.d/$IMAGE_REGISTRY_TITLE.yaml"

0 comments on commit 2a585d0

Please sign in to comment.