diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml index 7ec754e..a6c0ae2 100644 --- a/.github/workflows/build.yaml +++ b/.github/workflows/build.yaml @@ -23,6 +23,12 @@ jobs: - name: Checkout uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 + - name: Install cosign + if: ${{ github.event_name != 'pull_request' }} + uses: sigstore/cosign-installer@dc72c7d5c4d10cd6bcb8cf6e3fd625a9e5e537da # v3.7.0 + with: + cosign-release: 'v2.4.1' + - name: Build image id: build uses: redhat-actions/buildah-build@7a95fa7ee0f02d552a32753e7414641a04307056 # v2.13 @@ -58,7 +64,19 @@ jobs: subject-name: ${{ env.REGISTRY }}/${{ github.repository_owner }}/${{ steps.build.outputs.image }} subject-digest: ${{ steps.push.outputs.digest }} push-to-registry: true - + + - name: Sign the published OCI image + if: ${{ github.event_name != 'pull_request' }} + env: + digest: ${{ steps.push.outputs.digest }} + fully_qualified_image_names_json: ${{ steps.push.outputs.registry-paths }} + COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }} + COSIGN_PRIVATE_KEY: ${{ secrets.COSIGN_PRIVATE_KEY }} + run: > + echo "${fully_qualified_image_names_json}" + | jq -r '.[]' + | xargs -I {} cosign sign --yes --key=env://COSIGN_PRIVATE_KEY "{}@${digest}" + - name: Echo outputs for auditing if: github.event_name != 'pull_request' run: | diff --git a/Containerfile b/Containerfile index eee708f..4622453 100644 --- a/Containerfile +++ b/Containerfile @@ -1,6 +1,7 @@ ARG silverblue_version=40 FROM quay.io/fedora-ostree-desktops/silverblue:${silverblue_version} +COPY cosign.pub /etc/pki/cosign/cosign.pub COPY overlay-root/etc/ /etc/ RUN mkdir -p /var/opt \ diff --git a/README.md b/README.md index ce61cf7..6af73ab 100644 --- a/README.md +++ b/README.md @@ -12,3 +12,30 @@ When things start breaking eventually, get the new key with: ``` wget -O overlay-root/etc/pki/rpm-gpg/google-linux-public-key.asc https://dl.google.com/linux/linux_signing_key.pub ``` + +## Cosign Signing Keys + +The resulting container images are signed by Cosign. +The keys were generated with the following command: + +``` +$ GITHUB_TOKEN="$(gh auth token)" COSIGN_PASSWORD="$(head -c 33 /dev/urandom | base64)" cosign generate-key-pair github://samhclark/custom-silverblue --output-file cosign.pub +Password written to COSIGN_PASSWORD github actions secret +Private key written to COSIGN_PRIVATE_KEY github actions secret +Public key written to COSIGN_PUBLIC_KEY github actions secret +Public key also written to cosign.pub +``` + +The key is included in the image at `/etc/pki/cosign/cosign.pub`. +You can also download the key with: + +``` +wget https://raw.githubusercontent.com/samhclark/custom-silverblue/refs/heads/main/cosign.pub +``` + +The SHA-256 checksum of the key that I originally created on October 18, 2024 is + +``` +$ sha256sum cosign.pub +55e391488bbbfe28209e09963edf38a612e306572b2dd72bbcc97402690ff000 cosign.pub +``` \ No newline at end of file diff --git a/cosign.pub b/cosign.pub new file mode 100644 index 0000000..97228d2 --- /dev/null +++ b/cosign.pub @@ -0,0 +1,4 @@ +-----BEGIN PUBLIC KEY----- +MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEeZFHiaCiaiJrPkLbyjpTKF9KFFex +7o2M7HBLHUDHIdFIKVMkb1IOybx1bGrzdjUJ336Gh5Y5MRaSJhydIWsUww== +-----END PUBLIC KEY-----