From 180bd8cbe7e11016447481a55163858786d28411 Mon Sep 17 00:00:00 2001 From: Benjamin Sherman Date: Tue, 2 Jul 2024 10:40:52 -0500 Subject: [PATCH 1/5] refactor: update cosign public key --- cosign.pub | 4 ++-- files/usr/etc/pki/containers/ublue-os.pub | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/cosign.pub b/cosign.pub index f9482c42..bd5b1927 100644 --- a/cosign.pub +++ b/cosign.pub @@ -1,4 +1,4 @@ -----BEGIN PUBLIC KEY----- -MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE7lh7fJMV4dBT2jT1XafixUJa7OVA -cT+QFVD8IfIJIS/KBAc8hx1aslzkH3tfeM0cwyCLB7kOStZ4sh6RyFQD9w== +MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEHLRpBfPRYiMl9wb7s6fx47PzzNWu +3zyJgXhWEvxoOgwv9CpwjbvUwR9qHxNMWkJhuGE6cjDA2hpy1I6NbA+24Q== -----END PUBLIC KEY----- diff --git a/files/usr/etc/pki/containers/ublue-os.pub b/files/usr/etc/pki/containers/ublue-os.pub index f9482c42..bd5b1927 100644 --- a/files/usr/etc/pki/containers/ublue-os.pub +++ b/files/usr/etc/pki/containers/ublue-os.pub @@ -1,4 +1,4 @@ -----BEGIN PUBLIC KEY----- -MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE7lh7fJMV4dBT2jT1XafixUJa7OVA -cT+QFVD8IfIJIS/KBAc8hx1aslzkH3tfeM0cwyCLB7kOStZ4sh6RyFQD9w== +MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEHLRpBfPRYiMl9wb7s6fx47PzzNWu +3zyJgXhWEvxoOgwv9CpwjbvUwR9qHxNMWkJhuGE6cjDA2hpy1I6NbA+24Q== -----END PUBLIC KEY----- From c9afb3114859321f8ddf5afe6efbcf04cfb0cc87 Mon Sep 17 00:00:00 2001 From: Robert Sturla Date: Tue, 2 Jul 2024 17:52:51 +0100 Subject: [PATCH 2/5] Retain support for images signed with the old private key --- files/usr/etc/containers/policy.json | 2 +- files/usr/etc/pki/containers/ublue-os-old.pub | 4 ++++ 2 files changed, 5 insertions(+), 1 deletion(-) create mode 100644 files/usr/etc/pki/containers/ublue-os-old.pub diff --git a/files/usr/etc/containers/policy.json b/files/usr/etc/containers/policy.json index 8031745d..923fbe20 100644 --- a/files/usr/etc/containers/policy.json +++ b/files/usr/etc/containers/policy.json @@ -32,7 +32,7 @@ "ghcr.io/ublue-os": [ { "type": "sigstoreSigned", - "keyPath": "/usr/etc/pki/containers/ublue-os.pub", + "keyPaths": ["/usr/etc/pki/containers/ublue-os.pub", "/usr/etc/pki/containers/ublue-os-old.pub"], "signedIdentity": { "type": "matchRepository" } diff --git a/files/usr/etc/pki/containers/ublue-os-old.pub b/files/usr/etc/pki/containers/ublue-os-old.pub new file mode 100644 index 00000000..f9482c42 --- /dev/null +++ b/files/usr/etc/pki/containers/ublue-os-old.pub @@ -0,0 +1,4 @@ +-----BEGIN PUBLIC KEY----- +MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE7lh7fJMV4dBT2jT1XafixUJa7OVA +cT+QFVD8IfIJIS/KBAc8hx1aslzkH3tfeM0cwyCLB7kOStZ4sh6RyFQD9w== +-----END PUBLIC KEY----- From d7b26c445f4da1e854e98c8f4b4fac6d163fbd50 Mon Sep 17 00:00:00 2001 From: Robert Sturla Date: Tue, 2 Jul 2024 18:02:46 +0100 Subject: [PATCH 3/5] Update rpmspec file with new public key --- rpmspec/ublue-os-signing.spec | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/rpmspec/ublue-os-signing.spec b/rpmspec/ublue-os-signing.spec index 0b0c57f4..b08cd18f 100644 --- a/rpmspec/ublue-os-signing.spec +++ b/rpmspec/ublue-os-signing.spec @@ -1,7 +1,7 @@ Name: ublue-os-signing Packager: ublue-os Vendor: ublue-os -Version: 0.2 +Version: 0.3 Release: 1%{?dist} Summary: Signing files and keys for Universal Blue License: MIT @@ -32,15 +32,20 @@ tar xf %{SOURCE0} -C %{buildroot} --strip-components=2 %attr(0644,root,root) %{_datadir}/%{VENDOR}/%{sub_name}/%{_exec_prefix}/etc/containers/policy.json %attr(0644,root,root) %{_datadir}/%{VENDOR}/%{sub_name}/%{_exec_prefix}/etc/containers/registries.d/ublue-os.yaml %attr(0644,root,root) %{_datadir}/%{VENDOR}/%{sub_name}/%{_exec_prefix}/etc/pki/containers/ublue-os.pub +%attr(0644,root,root) %{_datadir}/%{VENDOR}/%{sub_name}/%{_exec_prefix}/etc/pki/containers/ublue-os-old.pub %attr(0644,root,root) %{_datadir}/%{VENDOR}/%{sub_name}/%{_exec_prefix}/etc/containers/registries.d/quay.io-toolbx-images.yaml %attr(0644,root,root) %{_datadir}/%{VENDOR}/%{sub_name}/%{_exec_prefix}/etc/pki/containers/quay.io-toolbx-images.pub %attr(0644,root,root) %{_exec_prefix}/etc/containers/policy.json %attr(0644,root,root) %{_exec_prefix}/etc/containers/registries.d/ublue-os.yaml %attr(0644,root,root) %{_exec_prefix}/etc/pki/containers/ublue-os.pub +%attr(0644,root,root) %{_exec_prefix}/etc/pki/containers/ublue-os-old.pub %attr(0644,root,root) %{_exec_prefix}/etc/containers/registries.d/quay.io-toolbx-images.yaml %attr(0644,root,root) %{_exec_prefix}/etc/pki/containers/quay.io-toolbx-images.pub %changelog +* Tue Jul 02 2024 Robert Sturla - 0.3 +- Update ublue public signing keys + * Sat May 18 2024 qoijjj <129108030+qoijjj@users.noreply.github.com> - 0.2 - Add signature verification for toolbx images From 3544d0dc7072802aa3dd21a41b765f9d86369884 Mon Sep 17 00:00:00 2001 From: Robert Sturla Date: Tue, 2 Jul 2024 18:07:18 +0100 Subject: [PATCH 4/5] Use separate entries for each pub key --- files/usr/etc/containers/policy.json | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/files/usr/etc/containers/policy.json b/files/usr/etc/containers/policy.json index 923fbe20..6eea77f1 100644 --- a/files/usr/etc/containers/policy.json +++ b/files/usr/etc/containers/policy.json @@ -32,7 +32,14 @@ "ghcr.io/ublue-os": [ { "type": "sigstoreSigned", - "keyPaths": ["/usr/etc/pki/containers/ublue-os.pub", "/usr/etc/pki/containers/ublue-os-old.pub"], + "keyPath": "/usr/etc/pki/containers/ublue-os.pub", + "signedIdentity": { + "type": "matchRepository" + } + }, + { + "type": "sigstoreSigned", + "keyPath": "/usr/etc/pki/containers/ublue-os-old.pub", "signedIdentity": { "type": "matchRepository" } From bdeebf6b27d1e8c0a80b1eb6c03468e301519a50 Mon Sep 17 00:00:00 2001 From: Robert Sturla Date: Tue, 2 Jul 2024 19:19:16 +0100 Subject: [PATCH 5/5] Revert back to Ben's original code --- files/usr/etc/containers/policy.json | 9 +-------- files/usr/etc/pki/containers/ublue-os-old.pub | 4 ---- rpmspec/ublue-os-signing.spec | 7 +------ 3 files changed, 2 insertions(+), 18 deletions(-) delete mode 100644 files/usr/etc/pki/containers/ublue-os-old.pub diff --git a/files/usr/etc/containers/policy.json b/files/usr/etc/containers/policy.json index 6eea77f1..e407e964 100644 --- a/files/usr/etc/containers/policy.json +++ b/files/usr/etc/containers/policy.json @@ -32,14 +32,7 @@ "ghcr.io/ublue-os": [ { "type": "sigstoreSigned", - "keyPath": "/usr/etc/pki/containers/ublue-os.pub", - "signedIdentity": { - "type": "matchRepository" - } - }, - { - "type": "sigstoreSigned", - "keyPath": "/usr/etc/pki/containers/ublue-os-old.pub", + "keyPath": "/etc/pki/containers/ublue-os.pub", "signedIdentity": { "type": "matchRepository" } diff --git a/files/usr/etc/pki/containers/ublue-os-old.pub b/files/usr/etc/pki/containers/ublue-os-old.pub deleted file mode 100644 index f9482c42..00000000 --- a/files/usr/etc/pki/containers/ublue-os-old.pub +++ /dev/null @@ -1,4 +0,0 @@ ------BEGIN PUBLIC KEY----- -MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE7lh7fJMV4dBT2jT1XafixUJa7OVA -cT+QFVD8IfIJIS/KBAc8hx1aslzkH3tfeM0cwyCLB7kOStZ4sh6RyFQD9w== ------END PUBLIC KEY----- diff --git a/rpmspec/ublue-os-signing.spec b/rpmspec/ublue-os-signing.spec index b08cd18f..0b0c57f4 100644 --- a/rpmspec/ublue-os-signing.spec +++ b/rpmspec/ublue-os-signing.spec @@ -1,7 +1,7 @@ Name: ublue-os-signing Packager: ublue-os Vendor: ublue-os -Version: 0.3 +Version: 0.2 Release: 1%{?dist} Summary: Signing files and keys for Universal Blue License: MIT @@ -32,20 +32,15 @@ tar xf %{SOURCE0} -C %{buildroot} --strip-components=2 %attr(0644,root,root) %{_datadir}/%{VENDOR}/%{sub_name}/%{_exec_prefix}/etc/containers/policy.json %attr(0644,root,root) %{_datadir}/%{VENDOR}/%{sub_name}/%{_exec_prefix}/etc/containers/registries.d/ublue-os.yaml %attr(0644,root,root) %{_datadir}/%{VENDOR}/%{sub_name}/%{_exec_prefix}/etc/pki/containers/ublue-os.pub -%attr(0644,root,root) %{_datadir}/%{VENDOR}/%{sub_name}/%{_exec_prefix}/etc/pki/containers/ublue-os-old.pub %attr(0644,root,root) %{_datadir}/%{VENDOR}/%{sub_name}/%{_exec_prefix}/etc/containers/registries.d/quay.io-toolbx-images.yaml %attr(0644,root,root) %{_datadir}/%{VENDOR}/%{sub_name}/%{_exec_prefix}/etc/pki/containers/quay.io-toolbx-images.pub %attr(0644,root,root) %{_exec_prefix}/etc/containers/policy.json %attr(0644,root,root) %{_exec_prefix}/etc/containers/registries.d/ublue-os.yaml %attr(0644,root,root) %{_exec_prefix}/etc/pki/containers/ublue-os.pub -%attr(0644,root,root) %{_exec_prefix}/etc/pki/containers/ublue-os-old.pub %attr(0644,root,root) %{_exec_prefix}/etc/containers/registries.d/quay.io-toolbx-images.yaml %attr(0644,root,root) %{_exec_prefix}/etc/pki/containers/quay.io-toolbx-images.pub %changelog -* Tue Jul 02 2024 Robert Sturla - 0.3 -- Update ublue public signing keys - * Sat May 18 2024 qoijjj <129108030+qoijjj@users.noreply.github.com> - 0.2 - Add signature verification for toolbx images