diff --git a/Containerfile b/Containerfile index eee708f..4622453 100644 --- a/Containerfile +++ b/Containerfile @@ -1,6 +1,7 @@ ARG silverblue_version=40 FROM quay.io/fedora-ostree-desktops/silverblue:${silverblue_version} +COPY cosign.pub /etc/pki/cosign/cosign.pub COPY overlay-root/etc/ /etc/ RUN mkdir -p /var/opt \ diff --git a/README.md b/README.md index ce61cf7..6af73ab 100644 --- a/README.md +++ b/README.md @@ -12,3 +12,30 @@ When things start breaking eventually, get the new key with: ``` wget -O overlay-root/etc/pki/rpm-gpg/google-linux-public-key.asc https://dl.google.com/linux/linux_signing_key.pub ``` + +## Cosign Signing Keys + +The resulting container images are signed by Cosign. +The keys were generated with the following command: + +``` +$ GITHUB_TOKEN="$(gh auth token)" COSIGN_PASSWORD="$(head -c 33 /dev/urandom | base64)" cosign generate-key-pair github://samhclark/custom-silverblue --output-file cosign.pub +Password written to COSIGN_PASSWORD github actions secret +Private key written to COSIGN_PRIVATE_KEY github actions secret +Public key written to COSIGN_PUBLIC_KEY github actions secret +Public key also written to cosign.pub +``` + +The key is included in the image at `/etc/pki/cosign/cosign.pub`. +You can also download the key with: + +``` +wget https://raw.githubusercontent.com/samhclark/custom-silverblue/refs/heads/main/cosign.pub +``` + +The SHA-256 checksum of the key that I originally created on October 18, 2024 is + +``` +$ sha256sum cosign.pub +55e391488bbbfe28209e09963edf38a612e306572b2dd72bbcc97402690ff000 cosign.pub +``` \ No newline at end of file diff --git a/cosign.pub b/cosign.pub new file mode 100644 index 0000000..97228d2 --- /dev/null +++ b/cosign.pub @@ -0,0 +1,4 @@ +-----BEGIN PUBLIC KEY----- +MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEeZFHiaCiaiJrPkLbyjpTKF9KFFex +7o2M7HBLHUDHIdFIKVMkb1IOybx1bGrzdjUJ336Gh5Y5MRaSJhydIWsUww== +-----END PUBLIC KEY-----