feature: configure image signing (#34)

rsturla · Oct 17, 2023 · 583cd8e · 583cd8e
1 parent f35d352
commit 583cd8e
Show file tree

Hide file tree

Showing 5 changed files with 135 additions and 0 deletions.
diff --git a/.github/actions/sign-image/action.yml b/.github/actions/sign-image/action.yml
@@ -0,0 +1,38 @@
+name: Sign OCI Image
+description: Signs an OCI image using cosign
+
+inputs:
+  cosign-version:
+    description: 'The version of cosign to use'
+    required: false
+    default: 'v2.2.0'
+  registry:
+    description: 'The registry to push the signed image to'
+    required: true
+  digest:
+    description: 'The digest of the image to sign'
+    required: true
+  private-key:
+    description: 'The private key to use for signing'
+    required: true
+  private-key-passphrase:
+    description: 'The passphrase for the private key'
+    required: false
+
+runs:
+  using: composite
+  steps:
+    - name: Setup Cosign
+      uses: sigstore/[email protected]
+      with:
+        cosign-release: ${{ inputs.cosign-version }}
+
+    - name: Sign OCI Image
+      shell: bash
+      run: |
+        cosign sign -y --key env://COSIGN_PRIVATE_KEY $REGISTRY@$DIGEST
+      env:
+        REGISTRY: ${{ inputs.registry }}
+        DIGEST: ${{ inputs.digest }}
+        COSIGN_PRIVATE_KEY: ${{ inputs.private-key }}
+        COSIGN_PASSWORD: ${{ inputs.private-key-passphrase }}
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
@@ -82,6 +82,14 @@ jobs:
             FEDORA_VERSION=${{ matrix.fedora-version }}
             FEDORA_EDITION=${{ matrix.fedora-edition }}
 
+      - name: Sign Image
+        uses: ./.github/actions/sign-image
+        with:
+          registry: ${{ env.IMAGE_REGISTRY }}/${{ env.IMAGE_NAME }}
+          digest: ${{ steps.build.outputs.digest }}
+          private-key: ${{ secrets.ETERNAL_LINUX_SIGNING_KEY }}
+          private-key-passphrase: ${{ secrets.ETERNAL_LINUX_SIGNING_KEY_PASSPHRASE }}
+
 
   build-nvidia:
     runs-on: ubuntu-latest
@@ -168,6 +176,14 @@ jobs:
             NVIDIA_VERSION=${{ matrix.nvidia-version }}
             BASE_TAG=${{ env.BASE_TAG }}
 
+      - name: Sign Image
+        uses: ./.github/actions/sign-image
+        with:
+          registry: ${{ env.IMAGE_REGISTRY }}/${{ env.IMAGE_NAME }}
+          digest: ${{ steps.build.outputs.digest }}
+          private-key: ${{ secrets.ETERNAL_LINUX_SIGNING_KEY }}
+          private-key-passphrase: ${{ secrets.ETERNAL_LINUX_SIGNING_KEY_PASSPHRASE }}
+
 
   check:
     runs-on: ubuntu-latest

diff --git a/files/usr/etc/containers/policy.json b/files/usr/etc/containers/policy.json
@@ -0,0 +1,74 @@
+{
+  "default": [
+      {
+          "type": "reject"
+      }
+  ],
+  "transports": {
+      "docker": {
+          "registry.access.redhat.com": [
+              {
+                  "type": "signedBy",
+                  "keyType": "GPGKeys",
+                  "keyPath": "/etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release"
+              }
+          ],
+          "registry.redhat.io": [
+              {
+                  "type": "signedBy",
+                  "keyType": "GPGKeys",
+                  "keyPath": "/etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release"
+              }
+          ],
+          "ghcr.io/rsturla/eternal-linux": [
+              {
+                  "type": "sigstoreSigned",
+                  "keyPath": "/usr/etc/pki/containers/eternal-linux.pub",
+                  "signedIdentity": {
+                      "type": "matchRepository"
+                  }
+              }
+          ],
+          "": [
+              {
+                  "type": "insecureAcceptAnything"
+              }
+          ]
+      },
+      "docker-daemon": {
+          "": [
+              {
+                  "type": "insecureAcceptAnything"
+              }
+          ]
+      },
+      "atomic": {
+          "": [
+              {
+                  "type": "insecureAcceptAnything"
+              }
+          ]
+      },
+      "dir": {
+          "": [
+              {
+                  "type": "insecureAcceptAnything"
+              }
+          ]
+      },
+      "oci": {
+          "": [
+              {
+                  "type": "insecureAcceptAnything"
+              }
+          ]
+      },
+      "tarball": {
+          "": [
+              {
+                  "type": "insecureAcceptAnything"
+              }
+          ]
+      }
+  }
+}
diff --git a/files/usr/etc/containers/registries.d/eternal-linux.yaml b/files/usr/etc/containers/registries.d/eternal-linux.yaml
@@ -0,0 +1,3 @@
+docker:
+  ghcr.io/rsturla/eternal-linux:
+    use-sigstore-attachments: true
diff --git a/files/usr/etc/pki/containers/eternal-linux.pub b/files/usr/etc/pki/containers/eternal-linux.pub
@@ -0,0 +1,4 @@
+-----BEGIN PUBLIC KEY-----
+MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEwX/aIrD4r9D+KPfpN7thao0GdNHd
+PscEonsyLDWGQL+rRNuOXfW91sF1HLbkCG5/8O+8nqtiJbVQbRPvwq4utA==
+-----END PUBLIC KEY-----