From b5fb995abec5b67b0957ee96fb87c020c6cb0836 Mon Sep 17 00:00:00 2001
From: Sam Clark <1059176+samhclark@users.noreply.github.com>
Date: Fri, 18 Oct 2024 21:49:04 -0500
Subject: [PATCH] Add Cosign signing key

---
 Containerfile |  1 +
 README.md     | 27 +++++++++++++++++++++++++++
 cosign.pub    |  4 ++++
 3 files changed, 32 insertions(+)
 create mode 100644 cosign.pub

diff --git a/Containerfile b/Containerfile
index eee708f..4622453 100644
--- a/Containerfile
+++ b/Containerfile
@@ -1,6 +1,7 @@
 ARG silverblue_version=40
 FROM quay.io/fedora-ostree-desktops/silverblue:${silverblue_version}
 
+COPY cosign.pub /etc/pki/cosign/cosign.pub
 COPY overlay-root/etc/ /etc/
 
 RUN mkdir -p /var/opt \
diff --git a/README.md b/README.md
index ce61cf7..6af73ab 100644
--- a/README.md
+++ b/README.md
@@ -12,3 +12,30 @@ When things start breaking eventually, get the new key with:
 ```
 wget -O overlay-root/etc/pki/rpm-gpg/google-linux-public-key.asc https://dl.google.com/linux/linux_signing_key.pub
 ```
+
+## Cosign Signing Keys
+
+The resulting container images are signed by Cosign.
+The keys were generated with the following command:
+
+```
+$ GITHUB_TOKEN="$(gh auth token)" COSIGN_PASSWORD="$(head -c 33 /dev/urandom | base64)" cosign generate-key-pair github://samhclark/custom-silverblue --output-file cosign.pub
+Password written to COSIGN_PASSWORD github actions secret
+Private key written to COSIGN_PRIVATE_KEY github actions secret
+Public key written to COSIGN_PUBLIC_KEY github actions secret
+Public key also written to cosign.pub
+```
+
+The key is included in the image at `/etc/pki/cosign/cosign.pub`. 
+You can also download the key with:
+
+```
+wget https://raw.githubusercontent.com/samhclark/custom-silverblue/refs/heads/main/cosign.pub
+```
+
+The SHA-256 checksum of the key that I originally created on October 18, 2024 is
+
+```
+$ sha256sum cosign.pub 
+55e391488bbbfe28209e09963edf38a612e306572b2dd72bbcc97402690ff000  cosign.pub
+```
\ No newline at end of file
diff --git a/cosign.pub b/cosign.pub
new file mode 100644
index 0000000..97228d2
--- /dev/null
+++ b/cosign.pub
@@ -0,0 +1,4 @@
+-----BEGIN PUBLIC KEY-----
+MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEeZFHiaCiaiJrPkLbyjpTKF9KFFex
+7o2M7HBLHUDHIdFIKVMkb1IOybx1bGrzdjUJ336Gh5Y5MRaSJhydIWsUww==
+-----END PUBLIC KEY-----