Add Cosign signing key

samhclark · Oct 19, 2024 · b5fb995 · b5fb995
1 parent 9569a7d
commit b5fb995
Show file tree

Hide file tree

Showing 3 changed files with 32 additions and 0 deletions.
diff --git a/Containerfile b/Containerfile
@@ -1,6 +1,7 @@
 ARG silverblue_version=40
 FROM quay.io/fedora-ostree-desktops/silverblue:${silverblue_version}
 
+COPY cosign.pub /etc/pki/cosign/cosign.pub
 COPY overlay-root/etc/ /etc/
 
 RUN mkdir -p /var/opt \

diff --git a/README.md b/README.md
@@ -12,3 +12,30 @@ When things start breaking eventually, get the new key with:
 ```
 wget -O overlay-root/etc/pki/rpm-gpg/google-linux-public-key.asc https://dl.google.com/linux/linux_signing_key.pub
 ```
+
+## Cosign Signing Keys
+
+The resulting container images are signed by Cosign.
+The keys were generated with the following command:
+
+```
+$ GITHUB_TOKEN="$(gh auth token)" COSIGN_PASSWORD="$(head -c 33 /dev/urandom | base64)" cosign generate-key-pair github://samhclark/custom-silverblue --output-file cosign.pub
+Password written to COSIGN_PASSWORD github actions secret
+Private key written to COSIGN_PRIVATE_KEY github actions secret
+Public key written to COSIGN_PUBLIC_KEY github actions secret
+Public key also written to cosign.pub
+```
+
+The key is included in the image at `/etc/pki/cosign/cosign.pub`. 
+You can also download the key with:
+
+```
+wget https://raw.githubusercontent.com/samhclark/custom-silverblue/refs/heads/main/cosign.pub
+```
+
+The SHA-256 checksum of the key that I originally created on October 18, 2024 is
+
+```
+$ sha256sum cosign.pub 
+55e391488bbbfe28209e09963edf38a612e306572b2dd72bbcc97402690ff000  cosign.pub
+```
diff --git a/cosign.pub b/cosign.pub
@@ -0,0 +1,4 @@
+-----BEGIN PUBLIC KEY-----
+MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEeZFHiaCiaiJrPkLbyjpTKF9KFFex
+7o2M7HBLHUDHIdFIKVMkb1IOybx1bGrzdjUJ336Gh5Y5MRaSJhydIWsUww==
+-----END PUBLIC KEY-----